Opening MSN through ISA server

Risks of MSN

  1. Unproductive time, due to chatting and meeting online.

  2. File sending and receiving, viruses can also be sent and received.

  3. Bandwidth can be utilized for unproductive activities.

Pros of having MSN enabled through the ISA server

  1. People in your organization can chat to other people at your branch offices for business purposes.

  2. If bandwidth is sufficient video conferencing on a peer to peer basis is possible.

  3. Using MSN on windows XP remote assistance is possible and can cut down on travel cost if used appropriately.

Something to keep in mind
Many people find that it is unnecessary to allow MSN through the ISA firewall or any firewall for that matter.  This is not to be ignored as there some substance to the concern.  MSN is on the whole very unproductive from my experienced but as with anything if there are no strict policies to manage the privilege it will fail miserably.  I am not completely against the use of MSN but heed a word of warning to those that are not aware of all the implications the technology has to offer. 

Please note that enabling MSN can compromise your network if the technology is used incorrectly, and measures such as antivirus are not in place to detect virus transmission.

Undiscovered bugs and problems may occur in the future and it is always a good idea to keep ISA as closed as possible.  Imagine ISA to be a brick wall that keeps intruders from looking and getting access to inside network resources.  Each time you open ISA up for an application to get out and then back in its like taking one or more bricks from your valuable wall that protects your network.  If you remove enough brick eventually your wall will be week and making it easier for people on the outside to get to the now not so protected inside.

As a word of advice do not only rely on ISA or any firewall as your only means of protection against hacker or any other malicious form of attack be it from external sources or internal sources.

The mere fact that the people that designed ISA have put a MSN messenger predefined protocol tell me that they knew that someone was going to try to use it through ISA and that they knew that it is as much of a risk as e-mail or any other application that can transmit files.

As with all new types of protocol definitions a protocol rule needs to be assigned to the definition before it can be activated. This is the first step in enabling MSN through your ISA server.

Creating your protocol rule

More Information
To configure Instant Messenger for sending messages:

Configuring the MSN Protocol Rule

1.    Under Access policy object in the ISA MMC Right click Protocol Rule, click New and then click Rule.

2.     Name the Protocol rule and then click Next.

3.    Click the Allow radio button, and then click Next>.

4.    In the apply this rule to drop down box, select Selected Protocols, then check the MSN Messenger check box, then click Next.

5.    This is a very important screen. In this screen you can specify when the users will have access to the MSN service; in some cases you might consider giving users access to MSN only after hours or only on weekends depending on the policy or what management allows. Select the appropriate schedule and then click Next.

6.    On this screen you can also limit the protocol rule to specific clients or groups of clients. If you have a kiosk setup near reception or in the common room or tea room, you may have a group of computers that you would like to give msn access to. To do this create client address sets with the static IP addresses of the machines within your kiosk environment.  For this example click Any Request and then click Next.

7.    Check your settings here and then click Finish.

After the protocol rule is successfully created a packet filter needs to be created so that MSN can pass through the ISA server.

Creating the packet filter for your MSN messenger

Create this packet filter to allow the MSN service through ISA.

1.    Under the IP Packet Filter object in the ISA MMC Right click IP Packet Filters, and then click New, then click Filter.

2.    Name the packet filter, and then click Next.


3.    Click Allow packet transmission, and then click Next.

4.    Under Use this filter: Click Custom, then click Next.

5.    Match the setting I have above and then click Next.

6.    Click Default IP addresses for each external interface on the ISA Servers computer, then click Next.

7.    Select All remote computers, then click Next.

8.    Check your setting, then click Finish.

Now test MSN through your ISA I normally restart the services just in case.


Opening MSN through your ISA can prove rewarding if managed correctly and if the users using the technology fully understand that I can potentially be dangerous to the network if it is used irresponsibly. It can be used for business purposes and have major benefits both for support and in offering the capability of being able to communicate with colleagues that are connected to the internet where ever they may be internationally. Make sure management agrees and fully understand the potential risks before opening such an application such as MSN to all your users. I do however believe that MSN is as dangerous as normal day to day corporate e-mail and has the same potential risks as the corporate e-mail system presents if not managed correctly.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top