Talk Among Yourselves
A private IM environment may be just the answer to give your company all the benefits of IM while mitigating the inherent security risks.
- By Don Jones
- February 01, 2005
Instant messaging: Love it or hate it, it isn't going away. The increasing popularity of public messaging networks like MSN, AOL Instant Messenger (AIM), ICQ and Yahoo have made instant messaging (IM) a part of everyday life for many people. And now it's finding its way into the workplace.
IM offers quick, convenient communication that has been missing in many companies. It provides the ease of e-mail with the immediacy of a phone call. It can boost productivity, but like any other communications tool, including e-mail, too much of a good thing can be bad. You need to carefully manage how it's used.
To provide a more manageable and secure IM environment for use across the enterprise, a number of companies have introduced private IM solutions. Instead of the open access of a public messaging platform, your own IM system is something you can manage and control entirely within the scope of your own network.
Public IM networks are ubiquitous but dangerous. The advent of spim (the IM equivalent of spam) saps productivity, while built-in file-sharing mechanisms make for attractive new virus vectors for potential attackers. The ability to instantly transmit sensitive corporate information across the Internet in clear text is a serious concern, while the lack of auditing and accountability presents challenges for many industries already facing tough auditing legislation. In fact, many companies are so scared of IM that they simply block access to it in their firewalls. This clearly eliminates the threat, but also wipes out any possible benefits.
The perceived threat of IM comes down to one issue—control. You simply can't trust servers that are outside of your control to maintain security or handle sensitive data. Even if Yahoo were to announce 1024-bit encryption for its Messenger product, or if MSN were to build in virus and spim filters, it wouldn't matter: If it's outside your direct control, you can't trust it with your company's security and health. That's why it is so compelling to go to a private IM network.
The Power of the Server
For all their competitive stature, IM clients are quite similar. They all offer basic one-on-one conversations, as well as "rooms" for holding multi-participant conversations. Most offer built-in options for transferring files and many provide built-in voice and video capabilities. (So you finally have a reason to buy that webcam.) Clients typically include some sort of contact list, as well. Some of those even integrate with Outlook's Contacts folder for greater convenience.
We're not going to focus a lot on the client side of the IM equation, simply because the clients are so much alike. Instead, let's talk about the real power behind IM—the server.
|In This Roundup:
Microsoft Live Communications Server
$1,199 Standard Edition Server license with five client access licenses $4,969 Enterprise Edition Server license with 25 client access licenses
Effusia Business Messenger
Pricing ranges from $40 per seat for 5 to 24 users to $12 per seat for more than 500 users
Liquid Communication Systems LLC
$30 per seat
All IM servers feature basic presence capabilities. In other words, they keep track of who is online and provide a means for users' IM clients to find one another. This basic functionality has been around for a long time in products like Microsoft Internet Locator Server (ILS) and even in Exchange 2000 Server, which included built-in IM presence features. Presence is the quintessential function of IM. Everything else is icing.
Communications with Control
Microsoft Live Communications Server 2005
Microsoft Live Communications Server (LCS) 2005 is the second generation of Microsoft's enterprise IM offering. It works with the Windows Messenger client (version 5.1 is the latest), which itself is a core (or at least a bundled) component of Windows XP.
LCS relies on Active Directory. It makes some modest extensions to the AD schema, including the Global Catalog (GC). That's important to note because in anything but a pure Windows 2003 domain, deploying LCS will require that you rebuild all the GC databases.
In larger domains, that is a process you'll want to schedule for a quiet time of day or at night when it won't affect your users as much. Once those GC databases are installed, you can "IM-enable" individual users or groups of users by modifying their properties in AD Users and Computers (see Figure 1). This is an important concept, because it means that not all users need to be IM-enabled. You can be selective because you have complete control over who uses the service.
|Figure 1. Microsoft Live Communications Server lets you use Active Directory to apply properties and IM-enable specific users and groups. (Click image to view larger version.)
LCS lets you configure the system to automatically archive all IM conversations, a property you can modify on a server-wide or per-user basis. If you choose to archive conversations, you'll have to manually install Microsoft Message Queue (MSMQ) before you deploy LCS.
LCS uses SQL Server for storage. The LCS Standard Edition, which only supports servers that utilize local storage, automatically installs the Microsoft Database Engine, which is the free version of the SQL Server 2000 engine. This is important because the LCS server will need to have whatever SQL Server patches and updates Microsoft has recently issued.
The Enterprise Edition can support multiple servers running from a single back-end database—a technique Microsoft calls an Enterprise Pool. In this scenario, you'll want to use the real SQL Server, which means shelling out for a license if necessary.
The LCS Setup wizard offers some good deployment advice, and gives some clues about LCS performance tuning. It recommends, for example, that you install LCS on a different drive from the system page file, and that the LCS database and transaction logs also be stored separately on different drives.
LCS goes beyond basic presence features to provide powerful enterprise-class IM routing. For example, you can create federations of LCS servers. Simply put, a federation includes all your LCS servers, plus the servers at your partner companies, customers or wherever else your IM contacts exist. You can program LCS with static routes, so your IM users can converse with partner companies simply by routing the IM traffic.
For example, if someone named firstname.lastname@example.org wants to send an IM to email@example.com, the LCS servers at company.com just need a route to find the customer.net LCS servers, and then the conversation can begin. Figure 2 shows how you can set up the routes in the LCS management console.
|Figure 2. The LCS management console lets you set up routes to IM users in other Internet domains so your users can securely IM outside your network. (Click image to view larger version.)
LCS also provides proxy functionality that lets external users—such as Internet users—send incoming messages to your company's IM users. Fear not, you have complete control of this incoming traffic. All security and safety decisions are placed firmly in your hands.
In the coming months, Microsoft will introduce connectors for LCS that let your IM users interact with users signed up with Yahoo Messenger, MSN Messenger and AIM—the three most popular public IM networks. These connectors will provide control over public-private traffic, and will likely carry an additional license fee.
If you have so many users that you need multiple LCS servers, you can install LCS in a Director mode on one computer. This Director will receive incoming requests and route them to the appropriate LCS server, providing a sort of load-balancing capability similar to Exchange Server's ability to determine which back-end server hosts a user's mailbox.
All in all, LCS offers an easy-to-deploy IM solution that provides good corporate controls, integration across companies and forthcoming integration with public IM networks. That public integration may be an important selling point to your users, and may help smooth a transition from public IM to LCS.
(Click image to view larger version.)
Straightforward and Secure
Effusia Business Messenger
Effusia Business Messenger is a simpler IM product than Microsoft LCS, which makes it easier to deploy and manage. That simplicity comes at the expense of some of LCS' more advanced features. LCS offers both Windows and Linux versions, making it quite suitable for environments that use both operating systems at the desktop.
Business Messenger doesn't integrate in any way with Active Directory, which is a good thing if you think you already have enough services relying on AD. However, it can also be a bad thing because it means you'll need to manually configure all of your users and their passwords independently within the Business Messenger Console (see Figure 3). It would have been nice to be able to import users from a directory like AD, particularly when adding Business Messenger to a large environment.
Figure 3. Business Messenger doesn't integrate with AD, so you'll need to manually configure users from within its console.
Business Messenger lets you create your own user groups. A member of a group will automatically see the group members who are currently online and all other group members in their contact list within the Business Messenger Console (the IM client application). Observers of a group can see the group's members without officially belonging to that group.
With Business Messenger, you can send an IM to all online group members at once ("Meeting in five minutes, everyone!"), a nice convenience for workgroups and departments within a larger organization. Once again, because most organizations will have already created and populated user groups in a directory like AD, it would be nice to be able to import those user names and addresses for the initial setup.
Business Messenger also includes a Web-based reporting and auditing application (see Figure 4), which provides a number of useful report formats. You can generate reports that include conversations containing questionable content, usage trends, file transfer statistics and more. Most of these reports are based on Business Messenger's built-in, XML-based IM traffic logging. These reports can be a key tool in properly managing an IM infrastructure, especially when it comes to monitoring users for proper use of the company's IM resources.
Figure 4. Effusia Business Messenger's reporting and auditing tool lets you generate reports on usage trends, questionable content, file transfer and more. (Click image to view larger version.)
Business Messenger lacks any means to integrate with other servers, even within the same organization. The assumption seems to be that one organization will have one Business Messenger server, and there will be no need to use IM to communicate outside the organization.
This aspect of Business Messenger is truly a double-edged sword. If you need to use IM to communicate with partners' or customers' IM systems, the lack if integration is a significant down side. On the other hand, if you're looking to provide in-house IM with no outside connectivity (and therefore less risk of IM-based attacks or information disclosure), Effusia's lack of connectivity provides a comfortable, hard-and-fast border.
Effusia's IM client isn't as slick-looking or as full-featured as Windows Messenger, but it provides the basic functionality you would expect from an IM client, including contacts and file-transfer capabilities. Users have a couple of different options for customizing the look and feel of the client, but Effusia has chosen to err on the side of simplicity. It provides a small, lightweight client that is not likely to become a major help desk issue. (With fewer features, users get into fewer problems.)
From an administrator's perspective, managing Business Messenger is straightforward and intuitive, albeit with a few quirks. For example, logging into the Admin console logs out your client and drops any IM conversations you may have had in process. This is because your account can only have one connection (client or admin) to the server at one time. Just be sure you're not in the middle of anything when you need to check the Admin console. These minor quibbles aside, administering Business Messenger is quite simple, and will rarely require that you refer to the short, easy-to-read manual that comes with the system.
(Note: An updated version of Effusia Business Messenger is expected shortly. It was not available for review at press time.)
Open for Business
Jabber XCP is based on an open source, XML-based specification for an IM protocol. Actually, Jabber is a nickname for the specification itself, as well as the name of the company behind the product.
The platform includes the Windows-based Jabber Messenger client, a Jabber WebClient and Jabber XCP—the Extensible Communications Platform that is the server piece of the solution. The server side is available in Linux, Unix and Windows flavors. The back-end database support for Jabber comes from either a built-in database, Oracle or Postgres. A forthcoming release of Jabber XCP will also add Microsoft SQL Server support.
|IM, with a Side Order of Security
If you're not ready to roll out your own corporate IM solution, but simply want to take control over how your users are using public IM on your network, a class of IM "companion" products may be just what the doctor ordered.
These products provide gateway control, which lets you control when IM can be used, do content filtering, prevent both incoming attacks and outgoing confidential information, perform antivirus scanning and more.
They provide an extra level of security and control for organizations that are concerned about safety and data theft, but aren't ready to cut off all user access to the public IM networks.
Akonix Enforcer is a perimeter security solution that detects and blocks IM traffic, peer-to-peer file sharing, and similar applications. Enforcer integrates with Akonix's L7 Enterprise product, which is an IM management gateway that provides content filtering, gateway control and other IM management features (www.akonix.com).
SurfControl's IM Filter provides gateway control, content filtering and antivirus scanning. Like Enforcer, SurfControl's product also protects or blocks peer-to-peer file sharing software (www.surfcontrol.com).
— Don Jones
Jabber XCP consists of multiple components. There's the Jabber Communications Platform at the core of the system, the Jabber Directory Suite (JDS) component to provide authentication (including integration with LDAP-compatible directories like AD) and Server Connection Manager to maintain communications between Jabber servers.
JDS is quite robust. You define the connections to the LDAP database and your users are integrated into Jabber. Even AD groups show up as Jabber "communities," which makes system configuration a snap. Jabber's offline capabilities—it can forward IM messages via e-mail when a user is offline—integrate with AD as well, meaning you won't spend any additional time setting up users in Jabber.
With the Server Connection Manager, you can connect Jabber servers with one another to communicate with partners, customers and external systems. Several independent developers have also created gateways between Jabber and public IM systems like MSN, AIM and Yahoo.
Jabber's WebClient is what differentiates it from Microsoft's Live Communications Server and Effusia Business Messenger. The Web client is fully functional, and you can easily incorporate it into existing portal sites, customize it to fit your company's image and so on. Because it relies solely on HTTP protocol, the WebClient works easily through most firewalls, unlike other IM clients that require you to open a dedicated port.
Jabber has a great deal of embedded security and auditing features, including complete message-logging capabilities and message encryption. In fact, Jabber is one of the few IM products to place a heavy emphasis on security. The underlying open source specification (called XMPP) has a number of security-specific features. That said, if you plan to use IM entirely within your own environment, the security features might not be as compelling for you becauase your IM traffic will never leave your intranet.
While Jabber provides more in the way of security and scalability, it requires a higher level of design and planning prior to deployment and operation. That level of complexity does not, however, extend to its administration. Administration is handled via a Web-based console. It's easy, straightforward and well documented. Jabber comes across as a well thought-out and engineered product. Its breadth of functionality and depth of technology can make it somewhat intimidating at first, but the product installs with sensible defaults and you can be up and running fairly quickly.
Of the IM systems in this roundup, Jabber is probably the one best suited to be a public IM product in the league of MSN, AIM and Yahoo. Microsoft Live Communications Server and Effusia Business Messenger are neither designed nor intended for that purpose.
The Last Word
Enterprise IM has come a long way from products like Microsoft's ILS. Today's products offer more robust features and in many ways rival the functionality of long-established public IM networks.
You'll want to carefully consider your needs before choosing a private, corporate IM system. Will AD integration be critical, or are you okay with setting up separate user accounts for IM? Will you need highly configurable communications with partners (who will be running the same product), or do you intend to keep all IM traffic on your intranet? Will you need high-end connectivity options like those offered by Jabber? Will security be a concern, requiring message traffic to be logged, encrypted and so on? Will you need to tightly control IM interactions between sets of users, as Jabber allows, or will IM in your environment be more of a free-for-all?
There's no doubt that IM is becoming an important business communications tool. It's very similar to the way e-mail has become an indispensable part of almost every business. Simply ignoring and blocking IM won't get you very far for very long. You'll eventually need to take the bull by the horns and do corporate IM the right way.