We want our users to be able to use Instant Messaging (IM) to communicate with other inhouse employees. What's the best way to give our users access to Exchange Server IM without allowing inbound or outbound IM traffic?

You can use several methods to prevent Exchange IM users from exchanging IM traffic with Internet users, but the best way depends on which IM client you're using and whether you can configure your firewall to block unwanted traffic. Here are some guidelines:

  • If your users are using the Exchange IM client (which looks similar to, but is implemented differently from, the standard Windows Messenger and MSN Messenger), see the Microsoft article "XFOR: How to Configure Instant Messaging Client System Policy Settings" (http://support.microsoft.com/?kbid=264472). In particular, you can configure the Exchange IM client to connect to Exchange servers only by setting the ExchangeConn registry value of data type REG_DWORD to 2 under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies registry subkey. The best way to apply this setting is to use an Active Directory (AD) group policy.
  • If your users are using the Windows Messenger client with plugins that allow Exchange access, you'll have to create a group policy to add two new registry values to the HKEY_CURRENT_USER\Software\Policies\Microsoft\Messenger\Client registry subkey. Both values are named Disabled, are of data type REG_DWORD, and should be set to 1. To turn off the Microsoft .NET Messenger Service plugin, add a value named Disabled to the \{9b017612-c9f1-11d2-8d9f-0000f875c541\} registry subkey; to turn off the Communications Services plugin, add a value named Disabled to the \{83D4679F-B6D7-11D2-BF36-00C04FB90A03\} registry subkey.
  • If you simply want to block the IM traffic, block all TCP port 1863 access to any host in the msgr.hotmail.com domain. To turn off IM and chats only, block UDP ports 13324 and 13325.