|
|
|
|
|
|
|
|
Once logged in with your trial or permanent administrative username and password, enabling Instant Messaging (IM) filtering only requires a few straightforward steps:
Steps
1-2, "Filtering IM 
"
must be performed to begin filtering
IM traffic.
Step
3, "Securing IM Traffic "should be done for optimal security and filtering.
Steps
4, "Operational Suggestions " are listed at the bottom.
Create user accounts, or you may use existing accounts that have already been created by implementing other filtering services such as Email or Web. MXPath requires usernames extracted from user email addresses, see:
Important: IM usage concurrent with filtering cannot occur until users are affiliated with one or more corresponding IM services and "screen names." There are two approaches available ... 1) the administrator can collect IM screen names from users and edit user account IM filter options, or 2) users can identify their own IM services & screen names. If IM traffic is secured at the firewall as recommended below, users will be forced to enter this information in order to use IM. See:
Edit User Filtering Options (administrator)
IM Screen Names (user)
Redirect IM traffic by re-configuring DNS lookups.
If you do NOT have your own DNS servers, change your Primary and Secondary name servers respectively to:
im-ns1.mxpath.net (primary)
im-ns2.mxpath.net (secondary)
Note: This change is typically made on a DHCP server, for example a Domain Controller, in the DHCP configuration. The IP address change propagates to DHCP users automatically and can be seen with an "ipconfig /all" command (Windows) and checked against the result of an "nslookup im-ns1.mxpath.net" or "nslookup im-ns2.mxpath.net" command. This change can also be made on Firewall/Router devices providing DHCP services to clients. These devices typically provide a web interface for configuring DHCP services. Ultimately, you may even configure individual machines, go to:
My Network Places → Properties → Local Area Connection → Properties → Internet Protocol (TCP/IP)
If you run and maintain your own DNS servers, you may re-direct IM traffic to the Enterprise IM Filter by adding the following Zones and CNAMEs on your internal DNS Server(s). If users are serviced by different DNS servers, it is possible to selectively provide IM filtering by re-configuring one DNS server, but not the other. Note that source IM traffic is re-mapped as follows, in general:
AOL →
aim.global.mxpath.net
MSN → msn.global.mxpath.net
Yahoo → yahoo.global.mxpath.net
|
Forward Lookup |
CNAMEs |
|
aimexpress.aol.com |
aim.global.mxpath.net |
|
login.oscar.aol.com |
aim.global.mxpath.net |
|
toc.oscar.aol.com |
aim.global.mxpath.net |
|
gateway.messenger.hotmail.com |
msn.global.mxpath.net |
|
msgr.hotmail.com |
msn.global.mxpath.net |
|
messenger.hotmail.com |
msn.global.mxpath.net |
|
msg.dcn.yahoo.com |
yahoo.global.mxpath.net |
|
msg.yahoo.com |
yahoo.global.mxpath.net |
|
scs.msg.yahoo.com |
yahoo.global.mxpath.net |
|
scs.yahoo.com |
yahoo.global.mxpath.net |
|
scsa.yahoo.com |
yahoo.global.mxpath.net |
|
scsb.yahoo.com |
yahoo.global.mxpath.net |
|
scsc.yahoo.com |
yahoo.global.mxpath.net |
At this point, you may want to notify users of the IM filtering solution, see:
Here is a complete list of supported IM clients that are known to work with the Enterprise IM Filter:
AIM for Windows - 5.2, 5.5, 5.9
AIM for Mac - 4.7
AIM for Linux - 1.5
MSN Messenger - 6.0, 7.5
MSN Messenger for Mac - 5.1
Yahoo Messenger for Windows - 5.6 - 7.0
Yahoo Messenger for Mac - 2.5
Yahoo Messenger for Linux - 1
While reports from users indicate that some other 3rd party products have been used successfully, support cannot be offered for these products.
Note: Yahoo recently released an updated version (8.1) of their IM client that is not currently supported by our IM services. We recommend that you delay upgrading to the new client until we add the new version to our supported client list. Windows Live Messenger 8.0 is also unsupported at this time. MSN Messenger 7.5 is the most recent supported version. Check MXPath for an updated compatibility list in a future "News" Article.
Incoming IM traffic should only be accepted from Enterprise IM Filter networks, as shown in this table:
|
Subnet IP Range |
Comments |
|
208.74.56.0/21 |
Class C address, mask of 21 bits (255.255.248.0). This mask covers 208.74.56.0 through 208.74.63.255, representing inbound filtered traffic from Global Gateway Services subnets. Note that your firewall may require or accept different notations to denote the full range of allowed subnets. A more granular specification may be required on some firewalls, use what works best for your firewall: Subnet Range Notations: 208.74.56.0/21
or... Granular Subnet Notations: 208.74.56.0/24 |
Configure your firewall to only accept traffic from Enterprise IM Filter networks (above) for the following ports:
|
Port to Secure |
IM Service |
|
1863 |
MSN |
|
1864 |
MSN |
|
1865 |
MSN |
|
5050 |
Yahoo |
|
5051 |
Yahoo |
|
5190 |
AIM |
|
5191 |
AIM |
|
5192 |
AIM |
|
5291 |
AIM |
|
5292 |
AIM |
Once you have re-directed IM traffic to the Enterprise IM Filter, customize your IM filtering service by reviewing the following tasks:
Selecting IM Protocols to support, see:
Specifying user groups allowed to use IM, see:
Entering valid IM Screen Names for users, see:
Note: Filtered users may manage their own IM screen names from MXPath. Premier Hosted Office users may use the Webmail Client to manage their own IM service and screen names. See:
Enabling (or disabling) File Transfers and IM Archiving, see:
IM File Transfers and Archiving
Identifying an email address for Violations notification, see:
Set up a Disclaimer (notification) message displayed during IM sessions, that lets users know the IM filter is active, see:
Configuring specific words or phrases to filter, see:
Run monthly reports on traffic and blocking activity, see:
