How Chat Service Works

Chat Service is a Microsoft Windows NT service based on Internet Relay Chat (IRC), a client-server protocol that supports real-time conversation between two or more users over a TCP/IP network. Since its development in 1988, IRC has become an Internet standard that currently forms the basis of several worldwide chat networks. IRC is defined in Request for Comments (RFC) 1459, "Internet Relay Chat Protocol."

In 1997, Microsoft developed IRCX, a set of extensions that enhance the functionality of the IRC protocol. IRCX provides optional user authentication for multiple security providers, Unicode character support, and multilayer security. IRCX also provides enhancements to standard IRC commands and several new commands for managing users and channels on a chat server.

Chat Service operates over a TCP/IP network of computers running Windows NT Server 4.0. Chat users log on to and communicate through chat servers on port 6667, the default TCP port for client-to-server communication. If port 6667 is in use by another service or process, clients can connect to a server on port 7000, the alternate client-to-server TCP port. These port numbers are defaults and can be changed to any value between 1 and 65535.

Portals: Connecting Chat Servers on a Network

Chat servers communicate with each other through portals. To connect two chat servers, you create a portal on each server that contains information about the server at the other end of the connection. For example, suppose you want to connect servers Chatsrv1 and Chatsrv2. The portal from Chatsrv1 to Chatsrv2 consists of a portal name, Chatsrv2's IP address and server ID number, and the server-to-server TCP port (6665 by default). Similarly, the portal from Chatsrv2 to Chatsrv1 consists of a portal name, Chatsrv1's IP address and server ID number, and the server-to-server TCP port. Each server uses the portal information to establish a network connection to the other server.

For servers on a chat network to operate as a unit, they must share information such as global channels, client and channel access restrictions, and so on. This state information is propagated throughout the network by means of an uplink. Portals provide the network paths for server-to-server communications; the uplink indicates the direction that state information travels between two servers. Each server on the chat network must receive state information from exactly one other server. For this reason, server uplinks must be set so state information is propagated according to a spanning-tree topology (no loops).

For an example of how portals are used to connect chat servers, see Setting Up a Three-Server Chat Network.

Security: Controlling User Access to Servers and Persistent Channels

When Chat Service is first installed, it imposes no logon restrictions on chat users. Any user can establish an anonymous client connection with the chat server. With Chat Service, you can use the following methods to control user access to a server:

Accepting connections only from clients using specific chat protocols. You can designate whether a server accepts connections only from Microsoft Internet Chat (MIC) clients, IRC/IRCX clients, or both.
Limiting the number of client connections from anonymous users. The server can deny all anonymous users (that is, allow only authenticated users) or allow connections from up to 10,000 anonymous users.
Requiring locally authenticated connections. In this case, users must log on to the server using a clear-text password or NTLM authentication.
Requiring users to connect to the server using one of the authentication methods provided by Authentication Service, a feature of Microsoft Site Server version 3.0. For example, the server can allow connections only from users who are members of a Distributed Password Authentication (DPA) group that you create on a membership server. This is the most secure method of controlling server access.

You can control user access to a persistent channel using the following methods:

Requiring a password in order to join the channel. In this case, only users with the designated owner, host, or member password can join the channel.
Associating a member account with the channel. Only users who belong to a member account that has been associated with the channel can join the channel.
Assigning joining restrictions to the channel. Access to a channel can be by invitation only or limited to authenticated users.

For information about specific ways to control user access to a persistent channel, see Creating a Secure Channel.

Note You can also prevent users from joining a server's dynamic channels by making them members of a user class that has the Cannot join dynamic channels option selected.

User Classes: Protecting Your Chat Servers and Users

A Windows NT administrator or chat sysop manager can create user classes to impose collective restrictions on groups of chat users. A user class is a logical collection of chat users whose membership in the class is based on one or more of the following criteria:

The user's chat client protocol (for example, IRC).
Whether the user logged on to the service as an authenticated user or as an anonymous user.
The user's ident mask (for example, *@microsoft.com) or IP address.

To determine whether a particular user belongs to a class, Chat Service searches the existing classes in alphanumeric order. If a user matches any of the selection criteria associated with a defined class, Chat Service adds the user to that class and imposes its restrictions on the user.

User classes allow you to protect a chat server and its users from flooding and other types of attacks. With user classes, you can control users' ability to log on to the server, create or join dynamic channels, or become a channel owner or host. You can also regulate the processing of messages from class members, limit the number (and type) of channels they can create on the server, and set up an attack protection mechanism. For information about configuring user classes, see Managing Chat Service Users.

For more information about configuring Chat Service, see Operating Microsoft Exchange Chat Service.