How to build your own corporate IM system

Consider these three strategies before you dive in

Corporate IT managers who haven't gotten on board with instant messaging need to start paying attention and evaluating how they will design their own IM systems.

There are many reasons why IM makes sense for business uses, all of which go beyond hyperactive teen talk.

  • First, workers have become more mobile and a lot harder to track down, particularly as secretarial support has disappeared and voice mail becomes the norm. IM automatically tells you who is available, and who is not, at any given hour of the day.
  • Second, e-mail is no longer the productivity tool it once was, now that pipes are clogged with spam, viruses and phishing attacks. Getting a quick response via e-mail now seems so quaint, so last year, especially when you converse in real time with IM.
  • Third, IM enables better collaboration and a tighter sense of community. With IM, you can educate an entire team, give them real-time feedback, develop relationships and cement the team together.
  • Fourth, the next generation of IM is not just about text chats; it offers solid integration with voice-, web- and videoconferencing, making it easier for remote workers to feel a part of the action.
  • Finally, IM's features and its ability to track down someone no matter where he is located are attractive to customers, partners and suppliers that need a guaranteed method of communication with you.

All these advantages mean that IM is becoming the key technology ingredient for corporations that are looking for faster customer response times, better ways to tie their customers closer together and tools to enable teleworkers to communicate across the globe.

Recognizing this, AOL LLC last week announced a business-oriented IM client called AIM Pro that offers integration with Outlook and other features to try to attract the corporate user. (See Computerworld's review of AIM Pro.)

IM isn't communications nirvana. It brings a new infection vector into corporate networks, and exploits can spread faster because users think they are dealing with trusted sources.

IM can also bring in another unmonitored channel for companies that are used to recording all client conversations -- and the potential legal liability of an unmonitored or undocumented channel at that. Getting IM networks to talk to each other is still more of a black art than science. (Tips on how to get public IM systems to interoperate with each other, and various multisystem IM clients that you can use, can be found on my Web page, )

And without the proper controls, IM communications can offer yet another distraction for workers already enamored with online sports and other more salacious diversions from the work day.

Before you dive into the world of IM, there are three basic strategies you will want to consider:

  • First, deploying one of the various IM blocking and monitoring products to prevent any unauthorized public IM use.
  • Second, using software from Microsoft Corp. or IBM's Lotus, the major private IM system vendors.
  • Finally, building your own IM system using a variety of open sources.

These three strategies aren't mutually exclusive, so you might want to mix and match. (A good place to stay current with IM developments is Jeff Hester's all-purpose IM news site BigBlueBall.com. It has discussion forums, news and tips.) Blocking and monitoring IM

If you are just getting started with IM, then it might make sense to use the blocking/monitoring gear. You can buy some time and use a public IM client such as AIM Pro or Yahoo until you build your own system -- and protect your network in the process. The downside is that your users could become more dependent on the public IM suppliers for their IM needs, and it might be more difficult to break these ties later on when their IM buddy networks are well developed. Also, most of the public IM clients don't offer ways to encrypt your communications, and regardless, anyone on the Internet can communicate with your staffers via IM if they know their screen names.

Typically, the blocking products take the form of using a specific appliance or setting up a series of firewall rules. (AOL has discontinued selling its AIM Enterprise Gateway that did some of these functions.) If you go the appliance route, the largest vendors in this area include Symantec Corp./IMLogic, Akonix Systems Inc. and FaceTime Communications Inc. If you go for just firewalls, you will find that blocking IM traffic isn't easy, and you'll need to spend some time learning their protocols, ports and processes. (To read more, see my article for Cisco's Internet Protocol Journal about the inside mechanisms of IM clients, protocols and servers.)

Facetime is one IM protection company that has branched out and taken a broader perspective. It sells two products, one for auditing and the other for overall management.

"Our focus is on managing and securing gray networks," said Facetime CEO Kailash Ambwani. "IM is an important piece of what we do, but it isn't the only thing. We want to protect against everything that an end user can bring into the enterprise and block malware and spyware whatever the vector."

You will want to keep several things in mind as you evaluate these offerings. Each product blocks or manages a different series of IM and peer-to-peer services. Most have yet to figure out a way to block Skype connections, for example.

Next, understand how these IM protection products can complement your intrusion-detection and -prevention systems. "IPS and IDSs don't always work for IM threats," said Art Gilliland, director of product marketing at Symantec. "A lot of times, virus traffic looks like safe traffic over IM. For this reason, you need security at multiple layers and at multiple points across your network."

Third, realize that most of the IM systems have Web-based clients or clients that run on mobile phones and PDAs.

"IM clients can be resourceful," said Michael Osterman, an independent IM analyst. "If you block Port 80, you can unintentionally block legitimate Web traffic, so you have to do more sophisticated things." How the security system manages and blocks this kind of traffic is important, since infections can easily spread from these sources

Look at what reports are available from the protection systems, and determine if you need particular reports for compliance or other legal reasons. Finally, if you are using these products for security reasons, examine how often they update their exploit signatures. Obviously, the more frequent the updates, the better the protection.

Lotus SameTime

If the thought of having your users communicating on an open, unencrypted, public IM system such as AOL or MSN makes you cringe, then you should think about purchasing one of the private IM systems from either Microsoft or Lotus. While the new AIM Pro client offers encryption (and companies such as Parlano have been offering encrypted add-ons for years), the private systems offer more: You'll get more control over who is talking to whom, you can more easily integrate your IM identity with your existing corporate e-mail and directory servers, and you have monitoring and encryption built in. The downside is that the private IM systems are only just now integrating with the public IM systems, so if you want to communicate with partners and others outside of your internal network, it will take some effort.

Lotus SameTime was one of the first systems to mix a private IM network with support for one of the public networks, in this case AOL. The next release will also support Yahoo and Google Talk, but not MSN. The new version will also extend support to Outlook and Sharepoint users, along with various mobile devices such as BlackBerries and Nokia smart phones.

Pricing for SameTime is $55 per user. Lotus doesn't charge for the additional connectivity to the public IM networks, webconferencing or telephony integration, unlike Microsoft.

The new SameTime software includes a complete rewrite of the client, using the Eclipse open-source tools that IBM is so fond of. Another point in Lotus' favor is that the software runs equally well across Windows, Mac and Linux clients and Windows and Linux servers.

IBM is also spending time doing organizational integration of SameTime, including giving its presence feature the ability to go beyond mere "away/busy" indications to include physical locations and organizational hierarchies, so you can, for example, search for a particular person's boss or find anyone in the HR department.

"Personal presence is cool, but we have taken it a step further and will have later this year the ability to do role-based presence," said David Marshak, IBM Lotus' senior product manager for real-time collaboration. He talks about plans to support more social networking features, such as the ability to ask if anyone is available that can answer a particular query based on organizational role or topic knowledge.

Go with Sametime if you meet one or more of these conditions: You have an existing Notes infrastructure, don't want to be wedded to a completely Microsoft-centric solution, are interested in organizational IM integration, or want to have some security before you dive completely in the open-source pool.

Microsoft LCS

Microsoft is involved in the IM world in several different roles. It operates one of the larger public IM networks, it includes an IM client as part of its Windows operating system, and its sells a private IM server that has some powerful interoperability features called Office Live Communications Server (LCS). Microsoft's public IM network, MSN, recently joined hands with Yahoo Inc., so users of the vendors' respective IM systems can exchange messages with one another. Microsoft has led the way on public IM interoperability with LCS, which can only motivate its competitors to include more pluralist IM offerings of their own.

New software is also coming from Microsoft that will enhance LCS and Exchange, along with a new client product called Office Communicator 2007. These are all expected at the end of this year or early next year. And last week, Microsoft and Nortel Networks Ltd. announced cross-licensing plans and promised to better integrate Microsoft's messaging system and Nortel's telephony system.

Microsoft thinks of LCS as yet another services platform, meaning that to get similar functionality with SameTime you'll have to embrace and extend LCS with a series of additional products, some from Microsoft and others sold by partners. For example, if you want to use LCS to talk to AOL, Yahoo and MSN IM users, you'll need to get an add-on for LCS called Public IM Connectivity. Administrators can authorize specific users to communicate with the outside world. There are telephony extensions from Genesys and organization/directory extensions similar to what SameTime has in the works from Nakisa.com.

"Our intention is to support the SIP/SIMPLE standards and continue to extend that standard relative to taking on new and evolving technologies," said Michael Bronsdon, a Microsoft product manager.

LCS only runs on Windows servers and supports only Windows clients for the full feature set. It has a complex pricing scheme that starts at $31 per user and adds server licenses and extra fees for other features.

Go with Microsoft LCS if you have an Exchange/Outlook environment and want to easily extend it into the world of IM.

There are other smaller vendors that are entering the IM market. One to watch is Antepo Inc., which offers a system called Rivoli. They differentiate themselves by supporting a wide collection of public and private IM systems using a collection of SIP-based gateways to federate among Microsoft LCS, Lotus Sametime, Extensible Messaging and Presence Protocol servers and even AIM. Rivoli costs $36 per user, plus a maintenance fee after the first year. It can work with older Microsoft Exchange clients as well as integrate quite nicely into Sharepoint, Microsoft Messenger and other Windows products as well as Apple Computer Inc.'s iChat.

"We were seeing people wanting enterprise-grade Skype with the benefit of standards and a secure infrastructure, said John Sullivan, a product manager at Antepo. Rivoli Version 7.0 is shipping by the end of the summer.

Jabber and open sources

Finally, there are the open-source alternatives that involve implementations around the Jabber server and people running its protocols, called Extensible Messaging and Presence Protocol, or XMPP. Last year, support reached a new milestone with Google Talk and the Gizmo Project using these protocols.

What is notable about using XMPP is that you can separate the messaging and presence functionality if desired (although most deployments offer both). This comes in handy when building application-to-application messaging systems that don't involve users typing text messages to each other, such as a server sending an alert when it detects a problem to a network operator. Currently, there are more than 30 active projects to extend IM into bookmarks, delayed messaging and other areas.

Go with Jabber and its ilk if you want to build your own IM applications, or don't want to spend the cash on a Lotus or Microsoft offering.

The world of IM is rapidly changing, as last week's announcements from Microsoft and AOL have shown. Expect the innovations to continue. But if you haven't gotten on board the IM train, you should consider starting a pilot project with at least one of the three strategies mentioned here.

David Strom is a writer, editor, public speaker, blogging coach and consultant. He is a former editor in chief of Network Computing and Tom's Hardware and has his own blog at http://strominator.com. He can be reached at david@strom.com.

Copyright © 2006 IDG Communications, Inc.

  
Shop Tech Products at Amazon