Firewall and proxy server considerations for AOL AIM clients

In order to control all AOL AIM instant messages exchanged by your users using both the Sametime Connect "Dual mode" client and/or native AOL Instant Messenger clients, it is neccessary to control the traffic by making sure that these IM clients do not either directly connect to the Internet or thru your company firewall but instead only connect through the IMtegrity proxy server service.

Typically, for AOL AIM clients to work, a firewall would need to permit the use of at least port 5190 and the remote DNS name "login.oscar.aol.com". Be aware that it is not sufficient enough to just block port 5190 as the AOL AIM clients can be configured to use or detect any available port (incl. port 80, which is usually open for web/HTTP traffic) and use it to connect to the corresponding public AOL AIM servers.

Since virtually all ports could be potentially used (because all public AOL AIM servers listen on all available ports), it is crucial that you  block all public AOL IM login server addresses (at a minimum "login.oscar.aol.com") at the firewall level for all users. Only the Lotus Sametime servers running the IMtegrity proxy server service should be able to access the public AOL IM servers thru the firewall. Otherwise users will be able to circumvent the IMtegrity proxy service by re-configuring their clients to directly connect the internet and the public AOL IM servers.

Note: The default login server address for the AOL AIM network is "login.oscar.aol.com". You can configure your internal DNS servers to redirect this address to an IMtegrity proxy server address. While this saves you from having to reconfigure each AOL AIM client to point to the IMtegrity proxy server, it is not entirely safe, as there are other public AOL IM login servers, users could change their configurations to use such servers and you would need to re-map all those other AOL AIM server DNS names aswell.

Most companies that wish to regulate and manage internet traffic have application proxy servers in place, between the firewall and the various application servers. The IMtegrity proxy server is designed to work with or without such company application proxy servers. These application proxy servers are generally enabled for protocols such as HTTP, HTTPS, SOCKS 4, and SOCKS 5. Note: The IMtegrity proxy server supports only SOCKS4 and SOCKS5 to pass thru these application proxy servers. HTTP and HTTPS are not supported.

If there are no application proxy servers installed in your company, then your network should be configured to channel all AOL AIM traffic through the IMtegrity proxy server computer only. Note that without a firewall in place, you will not be able to effectively block access to the Internet. Hence, it is essential that you have a firewall in order to effectively use and enforce IMtegrity. You can run IMtegrity without a firewall, but you cannot be sure that all traffic is going thru the IMtegrity proxy server for logging, authentication and disclaimers, etc.

If you have an application proxy server and a firewall

If your company uses an application proxy server for access to the Internet, then your proxy server settings should be similar to the firewall configuration with one exception—the application proxy server should allow AIM traffic that is initiated from or channeled through the IMtegrity server only. That is, the application proxy server should be able to establish outbound connections over the specified ports through the firewall on behalf of the IMtegrity proxy server. The application proxy server needs to be SOCKS 4 or SOCKS 5 enabled.

Note that once your firewall and application proxy server configurations are in place, users will need to configure their AIM clients with the hostname and port number of the IMtegrity server functioning as their login server. Details for this are covered in Client configuration.