Good day,
May i know how to block the IM such as MSN messenger, SKYPE, Yahoo messenger , ICQ and G talk.
Can i create policy to allow some users to use it and block some others users? How to create this policy?
Thanks
IM Related
Moderator: Qbik Staff
8 posts
• Page 1 of 1
Re: IM Related
by Nev » Jun 16 06 10:09 pm
csneo wrote:Good day,
May i know how to block the IM such as MSN messenger, SKYPE, Yahoo messenger , ICQ and G talk.
Can i create policy to allow some users to use it and block some others users? How to create this policy?
Thanks
Hiya,
This can be very difficult.
One way could be to force the users' to connect via WGIC and deny the application access via Wingate.
However I haven't tried it and others will assist more.
--
Nev.
Nev.
- Nev
- WinGate Guru
- Posts: 861
- Joined: Sep 22 03 11:35 pm
- Location: Mudgee ~ NSW ~ Australia
by jamesc » Jun 16 06 11:27 pm
Yes, can be challenging sometimes because when you block one connection method it can try another way; particularly Skype. Nev is right, the easiest way is to stop the application from running / deny network access via the WinGate Internet Client (WGIC).
*When I want to block an instant messaging program, I use the History tab of GateKeeper, the activity windows and a packet capture utility like Ethereal to see the DNS requests; and of course google for other approaches.
So in the case of MSN Messenger:
1. When the WWW Proxy connection method is available, MSN Messenger will try to contact a resource called "gateway.dll" as seen in the history tab. To ban that resource through WinGate, you would create a policy in the WWW Proxy Service.
GateKeeper --> WWW Proxy Service --> Policies
Set the default Right to "Are Ignored" ref: http://forums.qbik.com/viewtopic.php?p=23285#23285
GateKeeper --> WWW Proxy Service --> Policies --> Add button
Recipient tab: Everyone, user may be unknown.
Advanced tab: Add Filter, Add Criterion.
This criterion is NOT met if HTTP Resource CONTAINS gateway.dll
2. When it uses NAT it can be blocked. Navigate to:
GateKeeper --> Extended Networking --> Port Security --> Select "LAN Connections to the Internet" from the drop down list, then add a new rule for TCP 1863.
3. You may want to turn on intercepts too so the LAN Clients cannot get a direct connection to port 80 on the internet (bypassing proxy); an explanation is available from: http://forums.qbik.com/viewtopic.php?p=23282#23282
*When I want to block an instant messaging program, I use the History tab of GateKeeper, the activity windows and a packet capture utility like Ethereal to see the DNS requests; and of course google for other approaches.
So in the case of MSN Messenger:
1. When the WWW Proxy connection method is available, MSN Messenger will try to contact a resource called "gateway.dll" as seen in the history tab. To ban that resource through WinGate, you would create a policy in the WWW Proxy Service.
GateKeeper --> WWW Proxy Service --> Policies
Set the default Right to "Are Ignored" ref: http://forums.qbik.com/viewtopic.php?p=23285#23285
GateKeeper --> WWW Proxy Service --> Policies --> Add button
Recipient tab: Everyone, user may be unknown.
Advanced tab: Add Filter, Add Criterion.
This criterion is NOT met if HTTP Resource CONTAINS gateway.dll
2. When it uses NAT it can be blocked. Navigate to:
GateKeeper --> Extended Networking --> Port Security --> Select "LAN Connections to the Internet" from the drop down list, then add a new rule for TCP 1863.
3. You may want to turn on intercepts too so the LAN Clients cannot get a direct connection to port 80 on the internet (bypassing proxy); an explanation is available from: http://forums.qbik.com/viewtopic.php?p=23282#23282
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by jiandc » Jul 19 06 7:09 pm
One of the computer in our LAN uses NAT to connect to Yahoo at port 23. But I cannot block or disable port 23 because I am using this for other purpose. And even if I remove Port23, Yahoo msngr will just jump to another available port.
Is there any other way to solve this problem?
jian
Is there any other way to solve this problem?
jian
- jiandc
- Posts: 85
- Joined: May 11 04 12:47 am
by jamesc » Jul 19 06 7:41 pm
That would be a matter of making a policy to block server port 23 for all your users, then create a second policy to allow your computer/user to connect to server port 23.
GateKeeper --> Extended Networking Service --> Policies.
GateKeeper --> Extended Networking Service --> Policies.
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
by jiandc » Jul 19 06 10:50 pm
What I did is this....
GateKeeper --> Extended Networking Service --> Policies
Policy for Everyone Group set to MUST BE AUTHENTICATED.
This will still allow Authenticated users to use IM but at least block those that do not have Wingate login.
So far I see that Wingate is blocking the Yahoo connection but I hope this does not affect any other service like DNS or others...
jian...
GateKeeper --> Extended Networking Service --> Policies
Policy for Everyone Group set to MUST BE AUTHENTICATED.
This will still allow Authenticated users to use IM but at least block those that do not have Wingate login.
So far I see that Wingate is blocking the Yahoo connection but I hope this does not affect any other service like DNS or others...
jian...
- jiandc
- Posts: 85
- Joined: May 11 04 12:47 am
by jamesc » Jul 19 06 11:02 pm
Policy for Everyone Group set to MUST BE AUTHENTICATED.
Please remember, NAT does not have an authentication mechanism; your clients will need to authenticate somehow before using NAT.
- jamesc
- Qbik Staff
- Posts: 928
- Joined: Apr 04 05 2:04 pm
- Location: Auckland, New Zealand
8 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 37 guests