Firewall issues with MSN

Hi Daniel,

I read your comments and documentation about enabling outgoing connections through the firewall. The connections works fine except for msn, I’'ve got a connection timed out here are the debug logs:

Creating MSN session for melane@hotmail.fr

2007.02.14 04:15:11 Logging in to MSN session for melane@hotmail.fr

2007.02.14 04:15:11 MSN: Session messageSent for melane@hotmail.fr : VER 1 MSNP12 MSNP11 MSNP10 MSNP9 MSNP8 CVR0

2007.02.14 04:15:11 MSN: Session messageSent for melane@hotmail.fr : CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 7.0.0777 msmsgs melane@hotmail.fr

2007.02.14 04:15:11 MSN: Session messageSent for melane@hotmail.fr : USR 3 TWN I melane@hotmail.fr

2007.02.14 04:15:11 MSN: Session established for melane@hotmail.fr

2007.02.14 04:15:11 MSN: Session messageReceived for melane@hotmail.fr : VER 1 MSNP12 MSNP11 MSNP10 MSNP9 MSNP8 CVR0

2007.02.14 04:15:12 MSN: Session messageReceived for melane@hotmail.fr : CVR 2 7.5.0324 7.5.0324 7.0.0777 http://msgr.dlservice.microsoft.com/d

ownload/5/a/8/5a892c0f-5b87-4767-8927-6fe5d8cfc582/Install_MSN_Messenger.exe http://messenger.msn.com

2007.02.14 04:15:12 MSN: Session closed for melane@hotmail.fr

2007.02.14 04:15:12 MSN: Session messageReceived for melane@hotmail.fr : XFR 3 NS 207.46.110.60:1863 0 65.54.239.20:1863

2007.02.14 04:15:12 MSN: Session messageSent for melane@hotmail.fr : VER 1 MSNP12 MSNP11 MSNP10 MSNP9 MSNP8 CVR0

2007.02.14 04:15:12 MSN: Session messageSent for melane@hotmail.fr : CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 7.0.0777 msmsgs melane@hotmail.fr

2007.02.14 04:15:12 MSN: Session messageSent for melane@hotmail.fr : USR 3 TWN I melane@hotmail.fr

2007.02.14 04:15:12 MSN: Session established for melane@hotmail.fr

2007.02.14 04:15:12 MSN: Session messageReceived for melane@hotmail.fr : VER 1 MSNP12 MSNP11 MSNP10 MSNP9 MSNP8 CVR0

2007.02.14 04:15:12 MSN: Session messageReceived for melane@hotmail.fr : CVR 2 7.5.0324 7.5.0324 7.0.0777 http://msgr.dlservice.microsoft.com/d

ownload/5/a/8/5a892c0f-5b87-4767-8927-6fe5d8cfc582/Install_MSN_Messenger.exe http://messenger.msn.com

2007.02.14 04:15:12 MSN: Session messageReceived for melane@hotmail.fr : USR 3 TWN S lc=1033,id=507,tw=40,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom

,ct=1171426512,kpp=1,kv=9,ver=2.1.6000.1,rn=gNU6uQb6,tpf=af78c7b6b1cb2190b62237e 6475d2cc2

2007.02.14 04:15:23 MSN: Exception occurred for melane@hotmail.fr : java.net.ConnectException: Connection timed out

2007.02.14 04:15:47 MSN: Exception occurred for melane@hotmail.fr : java.net.ConnectException: Connection timed out

2007.02.14 04:16:15 MSN: Session closed for melane@hotmail.fr

I tryed to connect with same login/password and same configuration (wildfire 3.10 and plugin 1.0Beta4) on a machine not behind a firewall and it works fine. So here is my question, do you know if other ports than 1863 need to be enabled to connect to msn network? The rule we set up allows any address on port 1863…

Thanks,

Mélanie

In theory if you can pass the connection test on the admin console screen, you should be fine on the firewall side of things. I believe others have run into the same problem, and I think it’'s the same a GATE-175

Daniel,

Thanks for looking at it. I looked at the other post about GATE-175, and I don’‘t know but it seems to me that i go through another issue. The weird thing in my case, is that I can login fine on msn when my wildfire server is running on a machine which is not behind a firewall, and i’‘m not able to connect when i’'m running wildfire behind a firewall. In this case I always get :Unknown error from MSN: java.net.ConnectException: Connection timed out. Also behind the firewall I never get to teh point of receiving the " Binary Chunk Debug" message.

I can not run the test on admin gui, because i’‘m running 1.0Beta4, but I tried telnet and it’'s ok.The firewall is configured to allow all traffic on port 1863, and i was wondering if other ports may be used.

I added traces in your code, to make sure there is no other ports involved,. I logged :

msnSession.getConnection().getRemotePort()

msnSession.getConnection().getExternalPort()

msnSession.getConnection().getInternalPort()

External and internal port seems to be randoms port so I assumed they are the source port for local host and remote host. Is that right ? Anyway the remote port is always 1863.

Do you have any idea what could be wrong, or anything i could test ? I’'m getting out of ideas…

Thanks,

Mélanie

Why are you running 1.0 beta 4? I can’'t really provide support for older versions. I barely remember what the plugin was like during earlier versions!

Hi Daniel,

In fact we were running 1.0 Beta 4 because of wildfire version, but I got all wildfire 3.2.2 and gateway 1.0Beta 8 running now. All connections works except MSN. When i test the connection in the admin gui, it says that it can connect to msn successfully. When i tryed to register (using psi client), it says that i’‘m registered successfully, but i’‘m not logged in, and my msn contacts don’'t show up. Whne i look at the debug log, i see MSN: Session messageReceived… and many others, but after this i see that MSN session is closed. I can not figure out why. Also when i try to log on on msn from the client, i can not.

Do you have any idea of what is happening here ? We are running the server behind a firewall, and we allowed any outgoing connections on all IM ports, including 1863. My bet is that msn connection requires another port to be enable, what do you think?

Thanks,

Mélanie

1.0 Beta 8 fixed a bug in which MSN changed some required protocol versions and I had to compensate. I will not be backporting that to any earlier versions.

As far as I’'ve witnessed, MSN sticks to the same port, just different servers.

Message was edited by: jadestorm

Daniel,

I think i was not clear. I am running 1.0Beta 8 right now, and I’‘m still not able to connect to msn when i’‘m behind a firewall, and was not able to connect either with previous version. But when i’‘m not behind a firewall , i can connect with all versions. So i think the fix you implemented in 1.0Beta 8 doesn’'t apply to my problem. I was thinking about a port issue, but can be something else… any idea ? Do there is something I can do to help debugging this issue ?

I am not asking you to backporting fixes in earlier versions, I would just like to be able to connect with the last version.

Thank you,

Mélanie

Message was edited by: melane

i’'m experiencing the same problem. but i was using beta 7.

I’‘ve upgraded to beta 8 now, but it’'s getting null pointer exceptions upon startup.

Message was edited by: barefootbonzai

bump for anwsers. I’‘ve fixed the NPE by added resources to my JID’'s. But is there anything else that needs to be open on the fire wall?

Do you have control over the firewall? If you can poke a hole in it for port 1863 then that would probably take care of the problem. If you don’'t have direct control over the firewall, sadly, there might not be much you can do until proxy support is implemented (GATE-130)

Could you post the NPEs?

Also bumping doesn’‘t really help anything. ;D Once I’'m free to answer, I go through all of the posts “since I last looked”. Been a busy week at my real job. =)

thanks heaps for the response. released on friday that the server was blocking SSL calls so MSN couldn’‘t get it’‘s “Passport Ticket” to sign in. So make sure you guys got port 443 open if it’'s blocked on your server.

As for NPE i sent one of you guys an email about it already, it’'s in your todo list

Oh ok! So you emailed it directly to me?

So wait, unblocking port 443 did it? Interesting. MSN uses port 443 as well? I did not know that. =D (want to make sure I’‘m reading you right, and then I’'ll add to the wiki)

Well, I snoop the packets as well, and indeed MSN uses port 443 just for authentication phase. Unfortunately i have to wait until monday to test again, because firewall modifications are done only through the week end. I’'ll keep you update when i would have test with the new rule for port 443.

Cheers,

Mélanie

Wow, I must admit that seems a little weird for them to block that port! That’'s the standard HTTPS port! Seems like that one would be the -least- likely one to block! =)

Now the msn connection works, so you should add the port 443 in your documentation

Thanks guys for the help

Mélanie

Hey There,

Im having this problem now using the msn transport behind a restrictive firewall. We got the administrator to turn on outbound connections to messenger.hotmail.com port 1863. Am i reading this correct that you also need messenger.hotmail.com port 443 so that authentication works? That is the phase our connection seems to have problems. Just wanted to see it was the same hostname before I put in an admin request

cheers

Well, part of the problem here is that MSN doesn’‘t stay with just that one host. You connect to a nexus node which then instructs you to connect to a different server. I think my docs on what all to open may be misleading. Thing is, I’‘m not real sure what the list of possible addresses are. I’‘m not having any luck finding that information via google. I was expecting some sort of "just grant 1.2.3.* on port 1863 and you’‘ll be fine". But I’'m just not finding that. Do you have a proxy set up? You may want to add a vote to proxy support. =)