hello edadios,

thank you for your support.

I've tried this procedure but without success.

Regards,

Ilir

Collecting access logs, or packet capture may help to determine what the traffic looks like, and what can be done to block it.

I will otherwise have to do some test in the lab :-)

Hwllo Ilir,

I have tested in lab, and confirmed that the live messenger client still tries to go direct to the internet, bypassing the WSA, and using tcp port 1863. The proxy could not do anytyhing with that part, as that is not even being seen by the proxy.

So you can check your access logs on the WSA and if configured correctly, per the kb article, you will see the blocking logs, but the live messenger will still work, if it has some other way to connect to the server, bypassing the proxy.

This you will have to manage to block through your access-list/firewall.

I hope this helps you.

Regards,

Eric

Hello edadios,

I managed to block windows live messenger using an identity without authentication and I used only subnets as member definition criteria for this identity. Then I created a policy using this new identity and blocked messenger using aplication visibility.

This thing functioned.

I faced also before the issue that you mentioned before, the blocking logs but messenger still working..But now the blocking functions with this way.

Best regards,

Ilir

Hello edadios,

I have also one other question. I have to block teamviewer :).

I tried using the article in knowledgebase but without success, teamviewer still functions..

Best regards,

Ilir

Hi,

It seems everything on your network can go out to the internet directly. We recommend that anything web related should only be accessible through the proxy. If the request is not going through the proxy, rather bypassing it should be blocked.

As for blocking teamviewer, which artile did you refer to? To block TeamViewer, it is recommended that these primary servers are blocked through the proxy. The primary servers are usually in the format of 'http://master[#].teamviewer.com/', where '#' can be any number.

Blocking access to 'teamviewer.com' alone should prevent the TeamViewer application to work through the Cisco IronPort Web Security Appliance. Nevertheless the following IP Addresses should also be blocked to ensure that TeamViewer does not work through the Cisco IronPort Web Security Appliance.

#IP Addresses to block
70.38.37.232
85.214.118.112
85.214.138.185
85.25.146.182
93.189.33.205

Kind Regards

Jaki

Hello Everybody,

I'm facing again problem with Windows Live Messenger in one customer.

The strange thing is that on one computer it functions but on another computer it does not, even it is the same domain user logged on and both the computers are member of a domain. I have enabled authentication and used NTLM protocol for single sign on. The logs catched for the computer where Live Messenger behaves strange are as below:

1308319415.177 0 10.20.11.178 TCP_DENIED/407 1792 POST

http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- - OTHER-NONE-General-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> -

These logs for the other computer where Messenger functions are not present.

What I was doing before, when I noticed this issue is:

I was trying to sign in to MSN on a computer that it was not member of the domain and has only one domain user to use for proxy authentication. IE explorer was configured to use proxy.

Because I was simulating the situation where a guest person comes in the company and he wants to sign in to MSN, only having a gues domain user to use for proxy authentication.

Any idea or suggestion ?

BR,

Ilir

For the working user, what is the complete log when they do

"POST http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll"

The log you provided means this traffic is required to send authentication credentials.

If you are not seeing the same for the working one, maybe it is matchhing an identity in WSA configured to bypass authentication.

Regards,

Eric

Hello Eric,

Thanks for your reply first.

No, there is no identity without authentication and on both cases the traffic is machting the same identity. Here you can find: first the logs for the computer where the Live Messenger does not function and then for the other case.

1308659851.864 1251 10.20.11.107 TCP_CLIENT_REFRESH_MISS/200 4547 CONNECT tunnel://login.live.com:443/ "EAGLEMOBILE\guest01@eaglemobile" DIRECT/login.live.com - PASSTHRU_WBRS_7-Category_1-General-NONE-NONE-NONE-DefaultGroup -

1308659871.663 0 10.20.11.107 TCP_DENIED/407 1792 POST

http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- - OTHER-NONE-General-NONE-NONE-NONE-NONE <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-"> -

Second Case (where MSN functions):

1308659929.753 1309 10.20.11.30 TCP_CLIENT_REFRESH_MISS/200 22565 CONNECT tunnel://login.live.com:443/ "EAGLEMOBILE\ilva.kapxhiu@eaglemobile" DIRECT/login.live.com - PASSTHRU_WBRS_7-Category_1-General-NONE-NONE-NONE-DefaultGroup -

1308659950.467 638 10.20.11.30 TCP_CLIENT_REFRESH_MISS/200 6408 POST

http://gateway.messenger.hotmail.com/gateway/gateway.dll?Action=open&Server=NS&IP=messenger.hotmail.com

"EAGLEMOBILE\ilva.kapxhiu@eaglemobile" DIRECT/gateway.messenger.hotmail.com application/x-msn-messenger ALLOW_WBRS_11-Category_1-General-NONE-NONE-NONE-DefaultGroup -

1308659951.332 635 10.20.11.30 TCP_CLIENT_REFRESH_MISS/200 417 POST

http://64.4.61.220/gateway/gateway.dll?SessionID=15077606.565363245 "EAGLEMOBILE\ilva.kapxhiu@eaglemobile" DIRECT/64.4.61.220 text/plain DEFAULT_CASE_11-Category_1-General-NONE-NONE-NONE-DefaultGroup

It is tested with different user but both users are member of the same group and have the same access right in the domain.

BR,

Ilir

Hello Ilir,

This log means authentication is needed.

" 1308659871.663 0 10.20.11.107 TCP_DENIED/407 1792 POST

http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll - NONE/- - OTHER-NONE-General-NONE-NONE-NONE-NONE   <-,-,"-","-",-,-,-,"-","-",-,-,-,"-","-",-,"-","-",-,-,-,-,"-","-","-","-","-","-",0.00,0,-,"-","-">   - "

The link is http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll.

You  can see from the access logs the links the traffic is going through,  and they are different. That is to do with the application. Of course,  that is based on the logs you have provided. Unless there are logs you  did not include that can show the further picture of the issue.

Try to configure an authentication bypass for that site, and see if that makes it work for you.

http://tinyurl.com/4hgjkd

Regards,

Eric

Hello Eric,

I tried your suggestion and now I'm not seeing any TCP Denied but again I was not able to log in to MSN.

I created a decryption policy as suggested using the custom url because it is a HTTP Connect request on 443 port and it is again the same. The logs are as below:

TCP_CLIENT_REFRESH_MISS/200 20961 CONNECT tunnel://login.live.com:443/ - DIRECT/login.live.com - PASSTHRU_CUSTOMCAT_7-Authentication_Exemption-AuthExempt_Identity-NONE-NONE-NONE-DefaultGroup -

BR,

Ilir

Hello Ilir,

Originally on this thread, you were trying to block the messenger.

Are you sure, those settings you did to block messenger is removed? Since now, it seems you want to allow it again?

You said some user works, some don't. Is it to do with the account? Is it to do with the PC? Is it to do with the version of messenger?

So if you have a working pc with messenger, and use that same pc, to login with a different user that is failing, does that make the messenger fail? So try and do some elimination, so you can be certain where the issue may be, further.

Regards,

Eric

Yes, Eric

You are right . Maybe I have to do some eliminations.

I will try some other things.

Thank you for all your support and your disponibility.

BR

Ilir