Instant Messaging Security.

cloud for public IM clients Deployment Guide

Documentation version: 2.7

Legal Notice
Legal Notice Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Clients are advised to seek specialist advice to ensure that they use the Symantec services in accordance with relevant legislation and regulations. Depending on jurisdiction, this may include (but is not limited to) data protection law, privacy law, telecommunications regulations, and employment law. In many jurisdictions, it is a requirement that users of the service are informed of or required to give consent to their email being monitored or intercepted for the purpose of receiving the security services that are offered by Symantec. Due to local legislation, some features that are described in this documentation are not available in some countries. Configuration of the Services remains your responsibility and entirely in your control. In certain countries it may be necessary to obtain the consent of individual personnel. Symantec advises you to always check local legislation prior to deploying a Symantec service. You should understand your companys requirements around electronic messaging policy and any regulatory obligations applicable to your industry and jurisdiction. Symantec can accept no liability for any civil or criminal liability that may be incurred by you as a result of the operation of the Service or the implementation of any advice that is provided hereto. The documentation is provided "as is" and all express or implied conditions, representations, and warranties, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement, are disclaimed, except to the extent that such disclaimers are held to be legally invalid. Symantec Corporation shall not be liable for incidental or consequential damages in connection with the furnishing, performance, or use of this documentation. The information that is contained in this documentation is subject to change without notice. Symantec may at its sole option vary these conditions of use by posting such revised terms to the Web site.

Technical Support
The Global Client Support Center (GCSC) seeks to provide a consistently high level of service. The team consists of technically-trained client-focused individuals. They respond to your issue with the aim of resolving it within the first contact. To reduce the time it takes to resolve an issue, before you contact the team refer to the Help on rasing support tickets. The Help explains the information that is required for the various types of support issue. We welcome comments and questions about our services. Contact GCSC using the following contact details:
Email us at: Call us on: support.cloud@symantec.com EMEA: +44 (0) 870 850 3014 or +44 (0)1452 627766 US: +1 (866) 807 6047 Asia Pacific: +852 6902 1130 Australia: 1 800 088 099 New Zealand: 0800 449 233 Hong Kong: 800 901 220 Singapore: 800 120 4415 Malaysia: 1 800 807 872 South Korea: 00798 14 800 6906 Open a support ticket Visit the Web site Visit the Online Help Log into ClientNet and navigate to Support > Ticketing www.symanteccloud.com Online Help

We recommend that you check ClientNet frequently for maintenance information and to learn whats new. You can also add your mobile number in the Administration > SMS Alerts section of ClientNet to receive critical service-related issues by text message. Contact and escalation details are available in the following PDF: Contact and Escalations document.

Contents

Technical Support ............................................................................................... 3 Chapter 1 Deploying Instant Messaging Security ............................. 7

About deploying Instant Messaging Security ...................................... 7 What you need to deploy Instant Messaging Security ........................... 8 Initial configuration in ClientNet ...................................................... 9 Firewall Block Rules ....................................................................... 9 Firewall Allow Rules ..................................................................... 10 Delegate resolution of public IM network hosts .................................. 11 Configuring Windows 2003 DNS to forward IM networks .................... 11 Windows 2008 DNS Configuration .................................................. 12 Bind configuration ....................................................................... 13 Install a Public IM Client on a Windows Test Computer ....................... 17 Test your Instant Messaging Security Configuration ........................... 18 Further Help on How to Configure Instant Messaging Security ............. 19

Appendix A

Appendix

............................................................................... 21 21 22 24 24

Tips and Troubleshooting .............................................................. Public IM Hosts - Resolved by Global Client Support Center ................. Instant Messaging Security Datacenters .......................................... Outbound Ports ...........................................................................

Contents

Chapter

Deploying Instant Messaging Security

This chapter includes the following topics:

About deploying Instant Messaging Security What you need to deploy Instant Messaging Security Initial configuration in ClientNet Firewall Block Rules Firewall Allow Rules Delegate resolution of public IM network hosts Configuring Windows 2003 DNS to forward IM networks Windows 2008 DNS Configuration Bind configuration Install a Public IM Client on a Windows Test Computer Test your Instant Messaging Security Configuration Further Help on How to Configure Instant Messaging Security

About deploying Instant Messaging Security

Instant Messaging Security helps organizations to use compatible public IM clients more safely by providing Anti-Malware, URL-filtering, IM Content Control, and transcript logging.

Deploying Instant Messaging Security What you need to deploy Instant Messaging Security

Instant Messaging Security is a hosted service, processing your IM traffic at the Internet level; so requires no hardware to be installed at your site. IM conversations going to or coming from your organization pass through our datacenters , where they are:

Checked for any links that lead to Web sites known to be infected with viruses or spyware Comprehensively scanned for known and unknown viruses Matched against your IM Content Control rules

Conversations that are deemed to be malicious or suspicious, or violate your policies are automatically blocked. All other messages proceed to the intended recipients IM client, with no noticeable delay. Notifications and block messages are configurable to your requirements. Every message can be logged on our secure infrastructure and reports can be downloaded from the service management portal, ClientNet. See What you need to deploy Instant Messaging Security on page 8.

What you need to deploy Instant Messaging Security

Before you begin setting up Instant Messaging Security, have the necessary information available. You need information about your organization's infrastructure and information from Symantec.cloud. You need the following information on your organization's firewall and other systems:

Administrative access credentials for your office firewall Administrative access credentials for your office Domain Name Server The public IP addresses for your office locations from which your users will access Instant Messaging Security. Administrative credentials for a Windows computer that you will use to test your Instant Messaging Security configuration An IM account on a supported IM network such as Windows Live Messenger, Yahoo Messenger, or AOL Instant Messenger.

You also need the following information:

Administrative access credentials for ClientNet. The Global Provisioning team provides you with these credentials. If you are an existing customer of our hosted services, your existing credentials remain

Deploying Instant Messaging Security Initial configuration in ClientNet

the same. You can see the option IM Security Services under the Configuration tab.

The public IP address range of our proxy servers that you will allow through your firewall See Firewall Allow Rules on page 10. The hostname of the Instant Messaging Security proxy service appropriate for your region
For North America: For Europe and Asia: primary.us.imsecurityservice.com primary.eu.imsecurityservice.com

A list of the currently support public IM clients See Install a Public IM Client on a Windows Test Computer on page 17. A list of third-party hostnames that Instant Messaging Security will resolve. See Public IM Hosts - Resolved by Global Client Support Center on page 22.

Initial configuration in ClientNet

The first step in deploying Instant Messaging Security is to authorize access to the service from your office locations. To authorize access from an office location:

1 2

Open ClientNet in a Web browser. Log on using your administrator credentials. If you have an existing ClientNet account, your credentials remain the same. If you are a new client, you receive logon credentials from our Global Provisioning team.

3 4

Select Configuration > IM Security Services > Setup. Under IM Routes, enter the start IP and end IP for the range for your office network.

Repeat the procedure for each office location.

Firewall Block Rules

Set up your firewall to block third-party IM clients from connecting directly to public IM networks. Your users are only able to access the IM networks that are secured by Instant Messaging Security.

10

Deploying Instant Messaging Security Firewall Allow Rules

To block third-party IM clients from connecting directly to public IM networks

Configure your firewall with the following block rules: Direction

Outbound Outbound Outbound Outbound

Number
1 2 3 4

Port(s)
1863 5050 5190 7001

Protocol
TCP TCP TCP UDP/TCP

Action
Block Block Block Block

IP(s)
ALL ALL ALL ALL

Notes
Block direct access to MSN Block direct access to Yahoo Block direct access to AOL Block access to MSN NAT discovery

Firewall Allow Rules

Configure your firewall allow rules to enable access to the Instant Messaging Security datacenters . To allow access to the Symantec.cloud network

Use the following table to configure your firewall allow rules to enable access to the Instant Messaging Security datacenters . Action
Allow

Number
1

Port(s) Protocol
ALL UDP/TCP

Network

IP Range

Subnet
194.106.220.0 85.158.136.0 95.131.104.0 216.82.240.0 67.219.240.0 117.120.16.0

Notes
Allow network access to the IMSS service across all ports

194.106.220.0/23 194.106.220.0 194.106.221.255 85.158.136.0/21 85.158.136.0 95.131.104.0/21 85.158.143.255 216.82.240.0/20 95.131.104.0 67.219.240.0/20 95.131.111.255 117.120.16.0/21 216.82.240.0 216.82.255.255 67.219.240.0 67.219.255.255 117.120.16.0 117.120.23.255

Deploying Instant Messaging Security Delegate resolution of public IM network hosts

11

Delegate resolution of public IM network hosts

Set up your office networks so that all connections to third-party IM networks are forwarded to an IMSS datacenter. Use one of the following configuration methods:
Windows 2003 DNS configuration See Configuring Windows 2003 DNS to forward IM networks on page 11. or See Windows 2008 DNS Configuration on page 12. BIND configuration See Bind configuration on page 13.

Configuring Windows 2003 DNS to forward IM networks

Set up your office networks so that all connections to third-party IM networks are forwarded to an Instant Messaging Security datacenter. You can use the Windows 2003 management console DNS snap-in to configure DNS forward the IM traffic. For each Public IM service host you add, first add a new forward lookup zone. Second, create a CNAME record in the zone to point to the IMSS service. The forward zones that you set up should be stored as for your existing DNS configuration. Make sure that you disable dynamic updates for the zone. To launch the Windows 2003 management console DNS snap-in

From the Windows desktop, click Start > Run > dnsmgmt.msc.

The following procedure provides the steps to create a forward zone and store it in Active Directory. To set up a forward lookup zone

1 2 3 4

Launch the new forward zone wizard by right-clicking Forward Lookup Zones and New zone. Select the zone type - Primary zone. Select how the zone should be replicated in Active Directory. Enter the zone name.

12

Deploying Instant Messaging Security Windows 2008 DNS Configuration

5 6

Set the zone to not allow dynamic updates. Finish setting up the zone.

For each new forward lookup zone created, create a CNAME (alias) record that points to Instant Messaging Security. The following procedure sets up an alias for messenger.hotmail.com for the US region. To create a CNAME (alias) record that points to the Instant Messaging Security service

1 2

Launch the new alias wizard. Set the Fully qualified domain name (FQDN) for the alias. For all zones except ars.oscar.login.com, use the primary public IM host. For ars.oscar.aol.com, the FQDN should be the secondary host.

Finish the new alias wizard.

See Public IM Hosts - Resolved by Global Client Support Center on page 22.

Windows 2008 DNS Configuration

Set up your office networks so that all connections to third-party IM networks are forwarded to an Instant Messaging Security datacenter . You can use the Windows 2008 Manager to configure DNS to forward the IM traffic. For each public IM host, add a new Conditional Forwarder. The following procedure shows the steps necessary to set up a conditional provider for messenger.hotmail.com: To set up a conditional forwarder

1 2 3 4

From the Windows 2008 taskbar , click Start > Administrative Tools > DNS. To launch the Conditional Forwarders wizard, right-click on Conditional Forwarders and select New Conditional Forwarder. Enter the host name to forward, along with the name of the DNS server where the request will be forwarded: Complete steps 2 and 3 for each public IM host.

See Public IM Hosts - Resolved by Global Client Support Center on page 22.

Deploying Instant Messaging Security Bind configuration

13

Bind configuration
Set up your office networks so that all connections to third-party IM networks are forwarded to an Instant Messaging Security datacenters . You can use Bind to configure DNS to forward the IM traffic. To configure DNS using Bind

Add the required zones to your named /etc/named.conf file. The example .conf file is for Bind9. The example assumes a US-based customer. Replace the server in the forwarders section with the appropriate server from the list of Instant Messaging Security datacenters . See Table 1-1 on page 14. See Instant Messaging Security Datacenters on page 24.

14

Deploying Instant Messaging Security Bind configuration

Table 1-1

Example .conf file

Deploying Instant Messaging Security Bind configuration

15

Table 1-1

Example .conf file (continued)

zone "messenger.hotmail.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "scs.msg.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "echo.edge.messenger.live.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "vcs1.msg.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "gateway.messenger.hotmail.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "vcs1.msg.vip.sp1.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "mcs.msg.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "vcs2.msg.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "mcsa.msg.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "vcs2.msg.vip.ac4.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

16

Deploying Instant Messaging Security Bind configuration

Table 1-1

Example .conf file (continued)

zone "mcsb.msg.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "update.messenger.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "insider.msg.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "stun.ycp.corp.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "httpvcs1.msg.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "voipa.sip.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "beta.sip.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "voipb.sip.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "stun.voice.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "voipc.sip.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

Deploying Instant Messaging Security Install a Public IM Client on a Windows Test Computer

17

Table 1-1

Example .conf file (continued)

zone "relay.voice.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "sip-re.a1.b.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "natkeepalive.voice.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "beta.stun.voice.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "relay.voice.mud.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "stun.voice.fy3.b.yahoo.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "ars.oscar.aol.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

zone "login.oscar.aol.com" IN { type forward; forward only; forwarders { primary.us.imscanningservice.com; }; };

Install a Public IM Client on a Windows Test Computer

Test the Instant Messaging Security service on a Windows test computer before fully deploying the service. Select a public IM client and create a test account. Ensure that you use a supported public IM client to access IMSS. The service blocks non-supported public IM clients.

18

Deploying Instant Messaging Security Test your Instant Messaging Security Configuration

The following public IM clients are currently supported: Table 1-2 Public IM Service
AIM Windows Live Messenger Windows Live Messenger Yahoo Messenger Yahoo Messenger Yahoo Messenger Yahoo Messenger

Supported Public IM clients Version No

v 5.9.6089 v 14.0.8089.726 v 14.0.8117.0416 v 8.1.0.4.21 v 9.0.0.2162 v 10.0.0.1102 v 10.0.0.1270

See Test your Instant Messaging Security Configuration on page 18.

Test your Instant Messaging Security Configuration

Test the Instant Messaging Security service before fully deploying the service. Use the account you have registered with a supported public IM network and the Public IM client that you have installed on a test computer. See Install a Public IM Client on a Windows Test Computer on page 17.

Deploying Instant Messaging Security Further Help on How to Configure Instant Messaging Security

19

To test the supported public IM client on your Windows test computer

1 2

Launch the supported public IM client that is installed on your Windows test computer and log into your account. Verify that your account connects to the public IM network and that you can see your IM contacts. If you cannot see your list of IM contacts, your network may not be configured correctly. Your IM client is unable to connect to the IM service.

Open a chat window and send an instant message to one of your contacts. A disclaimer message from Instant Messaging Security is displayed in your IM Chat window, similar to the following: "This conversation is protected by MessageLabs IM Security Service. This controls and protects IM conversations. This conversation may be logged by the service. If this conversation breaches your local data protection policies, you should end it now." If this disclaimer is not displayed, your network may not be configured correctly. The IM client connects directly to the public IM network.

If an issue is identified, verify that you have performed all of the steps correctly. Further information is available to help you diagnose an issue. See Tips and Troubleshooting on page 21. Note: The disclaimer message can be configured in ClientNet.

Further Help on How to Configure Instant Messaging Security

Once you have established connectivity to Instant Messaging Security from your network, configure the service to gain the maximum benefit from the service. Use the configuration settings in ClientNet to implement your organizations acceptable usage policy.
Disclaimers Email Content Control rules Users and groups Transcript logging Reporting See Online Help on Reporting

20

Deploying Instant Messaging Security Further Help on How to Configure Instant Messaging Security

Appendix

Appendix
This appendix includes the following topics:

Tips and Troubleshooting Public IM Hosts - Resolved by Global Client Support Center Instant Messaging Security Datacenters Outbound Ports

Tips and Troubleshooting

The following table provides the issues and their resolutions that you may encounter when you set up Instant Messaging Security: Table A-1 Issue
I use a public IM client and cannot connect to the service

Instant Messaging Security Issues Solution

Instant Messaging Security only allows IM users to access the service if they use a supported version of a public IM client. See Install a Public IM Client on a Windows Test Computer on page 17.

I am unsure of the IP address that I connect You should enter the appropriate IP address from. Is this important? into ClientNet. A number of Web sites offer an IP address information service e.g. whatsmyip.org I block port range 55000 to 55900. Will this For the Instant Messaging Security service affect IMSS? to operate correctly you must ensure that range 55000 to 55900 is unblocked

22

Appendix Public IM Hosts - Resolved by Global Client Support Center

Table A-1 Issue

Instant Messaging Security Issues (continued) Solution

Our web filter service may be affecting the Many commercial Web filtering services deployment of IMSS within our organization offer a feature that blocks IM connection. When you deploy Instant Messaging Security within your organization, disable any IM blocking functionality on your Web filtering service I have disabled the IM connection blocking Ensure that the Web filtering service does function on my web filter service but still not block access to the Instant Messaging fail to connect to the IM service Security service proxy names/IPs If you are still unable to connect, please contact the Global Client Support Center. The Support personnel have a connectivity diagnosis tool that helps to identify connection difficulties I am unable to tell at what point the connection to IMSS fails Contact the Global Client Support Center. The Support personnel have a connectivity diagnosis tool that helps to identify connection difficulties

I have completed all of the steps in this guide Check ClientNet for service alerts or but the connection seems to fail outside my announcements network I do not want to open all ports to IMSS. What If you have specific concerns about opening can I do? all ports to Instant Messaging Security, you can open specific outbound ports with a default deny policy See Outbound Ports on page 24.

For further assistance, contact our 24x7 Global Support team who can help you with troubleshooting and advice.

Public IM Hosts - Resolved by Global Client Support Center

When the DNS forward lookup zones are configured with the public IM service URLs, some may show as resolving to an IP address of 0.0.0.0. This is intentional. AOL hosts:

Appendix Public IM Hosts - Resolved by Global Client Support Center

23

login.oscar.aol.com ars.oscar.aol.com

Messenger hosts:

messenger.hotmail.com echo.edge.messenger.live.com gateway.messenger.hotmail.com

Yahoo hosts:

mcs.msg.yahoo.com mcsa.msg.yahoo.com mcsb.msg.yahoo.com scs.msg.yahoo.com vcs1.msg.yahoo.com vcs1.msg.vip.sp1.yahoo.com vcs2.msg.yahoo.com vcs2.msg.vip.ac4.yahoo.com update.messenger.yahoo.com insider.msg.yahoo.com httpvcs1.msg.yahoo.com beta.sip.yahoo.com stun.voice.yahoo.com relay.voice.yahoo.com natkeepalive.voice.yahoo.com relay.voice.mud.yahoo.com stun.ycp.corp.yahoo.com voipa.sip.yahoo.com voipb.sip.yahoo.com voipc.sip.yahoo.com sip-re.a1.b.yahoo.com beta.stun.voice.yahoo.com stun.voice.fy3.b.yahoo.com

24

Appendix Instant Messaging Security Datacenters

scsa.msg.yahoo.com scsb.msg.yahoo.com scsc.msg.yahoo.com scsd.msg.yahoo.com scse.msg.yahoo.com scsf.msg.yahoo.com scsg.msg.yahoo.com

Instant Messaging Security Datacenters

Instant Messaging Security is deployed in regional datacenters around the globe. Customers must select which datacenter they want to connect to by default, and to which datacenter they fail over. The following table lists the datacenter host names and IP addresses applicable to DNS delegation: Table A-2 Region
United States/North America United States/North America EMEA/Asia Pacific EMEA/Asia Pacific

Instant Messaging Security Datacenters Host

primary.us.imscanningservice.com secondary.us.imscanningservice.com primary.eu.imscanningservice.com secondary.eu.imscanningservice.com

IP Address
216.82.241.36 216.82.241.37 194.106.220.20 194.106.220.21

Outbound Ports
If you have specific concerns over opening all ports to Instant Messaging Security, use the following table to open specific outbound ports with a default deny policy. Table A-3 Number
1 2 3

Outbound Ports Port(s)

53 80 443

Protocol
UDP/TCP TCP TCP

Action
ALLOW ALLOW ALLOW

IP(s)
Insert IMSS IP ranges Insert IMSS IP ranges Insert IMSS IP ranges

Appendix Outbound Ports

25

Table A-3 Number

4 5 6 7 8

Outbound Ports (continued) Port(s)

1863 5050 5190 9005 55000-55900

Protocol
TCP TCP TCP TCP TCP

Action
ALLOW ALLOW ALLOW ALLOW ALLOW

IP(s)
Insert IMSS IP ranges Insert IMSS IP ranges Insert IMSS IP ranges Insert IMSS IP ranges Insert IMSS IP ranges

26

Appendix Outbound Ports