complete version:
ISA 2004 beginners prohibit QQ Internet access
ISA Chinese Station>
ISA Server>
ISA Server 2004
Doitwhere
September 13, 2004 12:31
Foreword
There is only one purpose of writing this article: ISA2004 is a real experience experience.
The reason for producing this idea starts in order to achieve a true experience that is prohibiting QQ Internet access, although it is finally achieved by the goal, and therefore some pride, first, thank you for the Internet, it is really wonderful. Most of my lack of inspiration is inspired by netizens, especially the "windshield" of ISA Chinese network, as well as ********. In fact, there is already a lot of friends who have passed the very exciting solution, including translation and creation in the wind.
[Revision] Use ISA Server 2004 forbidden P2P software ","
How to prohibit MSN in ISA Server 2004, but as a newcomer from firewall software such as ISA, it is impossible to understand these professional terms and discussions, I am afraid that it is not a very relaxed thing. Moreover from me In all articles read in the experience, most of the descriptions of the content and scales are default readers already have a certain basic knowledge. This inevitably causes the readers like me, but it is difficult to find it. Actual in-depth method.
Ok, this article I want to write is to tell you enough to tell you the ultimate goal step by step - forbidden QQ Internet, that is, you have never contacted ISA 2004.
statement
Many of this article will borrow the experience of other netizens. My mission is just to solve these experiences more detailed, so don't think that I am in this regard or so. Please don't smeze it, but you have to share your experience (ISA Chinese Network Forum) to share your experience and share it with yourself.
Environment
I originally thought that the method of disabling QQ is to use Wingate (Version: 6.0), because it has not been exposed to it, I have found two nights on the Internet and don't stop experimenting during this period. I can't effectively use QQ. Port and protocols are filtered, maybe I am not familiar with this software, but I still agree that it is a very powerful agent server software. If any friend can prohibit the purpose of QQ Internet access through Wingate, and see these nonsense I wrote, please remember to write your implementation method to send me.
E-mail, with this, laugh at my ignorance.
Web environment:
ISA 2004 server:
Windows 2000 Server,
Windows 2000 SP4,
IE6SP1,
Windows SQL Server 2000 (if you have a friend to use the SQL Server more features, it is recommended to install it to install ISA 2004, because ISA2004 will also install SQL Server)
ADSL (RaspppoE dialing program, this is the ADSL dial-up software I like to use)
Dual NIC (NIC IP: 192.168.123.1; Foreign Net Network IP: 192.168.1.2 Outer Network Card Used to connect ADSL MODEM dial-up, no IP)
"Isa 2004 standard edition" in Chinese
(*** is written here to this night, pay attention to protect your body 22:28 ***)
Implementation
After implementing environmental implementation, you can set the ISA 2004 to achieve our goal, and ISA2004's filtering rules are very similar to hardware firewalls. Realization of QQ Internet access will use three firewall technology: disable communication port, filter communication packets, disable communication protocols. Early QQ uses the UDP protocol and 8000 ports to deliver messages, and later add to the TCP protocol and 80/443 port to enhance the software adaptation environment. Now there are more VIP users to use HTTP 443 to communicate, so we cannot disable HTTP protocols. And ports to disable QQ Internet access because HTTP 80 ports are not disabled. Combined with the disable port, protocol, and find the IP address that disables all QQ servers, you can complete QQ online.
There is no ready-made UDP 8000, TCP 443 combined protocol, and we can use software-provided flexibility to create custom protocols:
UDP-8000 (Figure)
TCP-443 (Figure)
Then we group QQ server IP addresses based on QQ use communication protocol, and create three computers in ISA:
Add the following computers in the QQ-Server UDP_8000 SET computer
61.144.238.145
61.144.238.146
61.144.238.156
61.144.238.150
61.141.194.203
61.141.194.200
61.141.194.224
202.104.129.251
202.104.129.252
202.104.129.253
202.104.129.254
202.96.170.163
202.96.170.164
202.96.170.166
219.133.45.15
219.133.40.216
218.18.95.209
218.18.95.221
(QQ-Server UDP_8000 SET)
Add IP addresses as follows by QQ-Server TCP_443 Set Computers
218.17.209.23
218.18.95.153
218.18.95.171
218.18.95.140 (This is a new QQ server IP I found, please verify it)
218.18.95.221
61.141.194.227
(QQ-Server TCP_443 SET)
Add the following computer to the QQ-Server VIP SET computer
218.17.209.42
(QQ-Server VIP SET)
New computer set after creation:
[IMG] http://218.17.2.203/bbs_pic/serverip.jpg [/ IMG]
Implementation of rules
The previous preparations can be created in the future, you can create a filtering rule for disabling QQ Internet access. First create a rule QQ server access, ************************************************************** TCP-80, TCP-443, Access Source Add "Local Network", add custom three computer sets to the destination QQ-Server UDP_8000 SET, QQ-Server TCP_443 SET, QQ-Server VIP SET, select "All User" Click to complete.
(Deny QQ Server Access Rules)
[IMG] http://218.17.2.203/bbs_pic/pic-01.jpg [/ IMG]
Create a second rule, Allow Internet Access Select all protocols, the source adds "local network", and add "external network" to the "external network", select "All User" Click Finish. On the rule created, click the right mouse button to select "Configure HTTP", enter the "Signature" tab new signature, select "Request URL" and enter "Tencent.com" in the Signature box, and determine how to exit all modifications. In the local area network challenged computer to open QQ, try to see if you can log in, don't you? Enter QQ Settings Agent Server, log in, or not? OK, I am very good!
Description:
This paper is a large part of the article, "[Correct Edition] Use ISA Server 2004 to prohibit P2P software", "How to ban MSN in ISA Server 2004", can be said to be a fool version, there is no Playing the meaning of others, only willing to write this goal more detailed, helping the later friends have achieved it as soon as possible.
Thanks again, there are several enthusiastic friends in the forum, and their name is here.
(2004-9-12 3:37 PM by Doitwhere At SZ)
[Last Edited by DOITWHERE IN 2004-9-13 AT 15:18]
Sunnyx
September 13, 2004 14:10
Thank you!
PCFENG
September 13, 2004 15:44
Ask your hand:
Is the 8000 referring to the target port?
Doitwhere
September 13, 2004 16:00
Disable out 8000 port
You can take a closer look at the screenshots, ISA2004's wizard has been clearly prompted.
chesw
September 13, 2004 16:14
If the DUP8000 direction is set to send, even if the access rule customer cannot enable QQ through UDP, if the direction is set to send acceptance, there is no problem.
Shenxu
September 13, 2004 16:40
Hard work, support.
HB_xj
September 14, 2004 11:12
thank you very much! ! ! Vigorously support!
Luckymenzero
September 15, 2004 10:39
Now I have set it according to your method, but it's okay.
Jacky_cshy
September 15, 2004 10:54
I think it is still
Http://www.isaserververcn.org/info/info.php?s...ssid= & infoid=68 is better.
CJL98441
September 15, 2004 18:51
Is there a latest QQIP here? Is it still? If so, do you want to distinguish UDP, TCP4433, etc.?
Windshield
September 16, 2004 00:13
If it is a blocking IP address, no matter what type of server
Kylin_lu
September 17, 2004 10:09
I use ISA2K, how is it forbidden?
Windshield
September 17, 2004 10:12
Inside the access rules, there is also a place to create a address set.
Lyloves
September 17, 2004 10:23
Block QQ experience:
I found not only in TCP: 443 and UDP: 8000 in TCP: 443 and UDP: 8000, but also put them in the HTTP protocol, otherwise the QQ client can change it to the agent ~
Windshield
September 17, 2004 10:27
Ha ha
CJL98441
September 20, 2004 17:07
Why can I still have QQ on my agent? I have already installed the settings above setting.
Windshield
September 20, 2004 17:59
Specifically, talking, wangweizheng
September 21, 2004 10:53
If you have QQ in the HTTP protocol?
Doitwhere
September 21, 2004 11:12
The best way is to choose all protocols, "Source" Select "Internal" and then exclude the computer allowed to use QQ,
Select the QQ server IP computer set in the target, use all users
This is quiet!
: D: d
Zhemson
September 22, 2004 22:41
Have a hard work
Wangweizheng
September 23, 2004 10:06
If the user can't control the network with the HTTP agent, can you detail or texture? Let me see this rookie!
Pengfei_ji
September 24, 2004 11:40
Windshield
September 24, 2004 12:22
Quote
WANGWEIZHENG published in 2004-9-23 09:06 AM:
If the user can't control the network with the HTTP agent, can you detail or texture? Let me see this rookie!
Http://www.isacn.org/info/info.php?sessid= &infoid=88
Wangweizheng
September 25, 2004 18:12
Sorry, I didn't express it. I said how can I use the HTTP agent to log in to QQ?
Windshield
September 26, 2004 16:49
Http://www.isacn.org/info/info.php?sessid= &infoid=68
TTTT
September 26, 2004 22:01
If UDP8000 is not line, QQ may use 443 ports.
And the IP address of the QQ server is not we can all. If there is a new service IP. We didn't add it. No, no fails.
This method is not a 100% effectiveness.
Sunmanliu
October 12, 2004 10:54
I have been working for a few days, I finally got! But now I don't even have QQ, how can I open some IP alone? Is it necessary to build a strategy alone? ?
[Last Edited by Sunmanliu On 2004-10-13 at 13:11]
Jesse2010
October 19, 2004 11:55
Look at the official instructions, jeha!
Windshield
October 19, 2004 12:39
Quote
Sunmanliu published in 2004-10-12 09:54 AM:
I have been working for a few days, I finally got! But now I don't even have QQ, how can I open some IP alone? Is it necessary to build a strategy alone? ?
Yes it is
XBSLiu
October 19, 2004 15:46
Great. For the vegetables like me, this is the best. like. Good job
CZPBAO
October 30, 2004 18:00
I blocked QQ for the first time, I went to QQ to display the TCP mode to log in.
218.18.95.165:8000 I have limited this IP, there is no good way, ISA2004 is really a problem!
IBMX365
January 9, 2005 12:10
I use the way the address is the way!
DDL
January 9, 2005 12:21
ding
lnycm
January 9, 2005 15:40
Tencent's IP is so much, the proposal is dominated by a configuration, let everyone download it will be OK. Otherwise, the address set of the QQ server is too troublesome.
ZHOUBIN
January 12, 2005 10:44
If HTTPS is prohibited according to the above method, it is not absolute. Also disable https. Some websites are registered to use this agreement. Just trouble.
Xiao Binbin
January 12, 2005 11:07
Most banks will also use HTTPS, so HTTPS is not banned, and can only filter, refuse to sign. In addition, in the previous mention, the rules can be set in the rules, and a large user group can be rejected, and then a small user group is set to exception, so that this small user group will not be limited by this rule. (Large user group contains small user groups) zhoubin
January 12, 2005 15:11
I am doing it now. If anyone wants me to open. But I can only do this. Tencent's trick is too much.
