Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do I securely allow Skype from a Forefront TMG protected network?

Posted on 2010-09-21
3
6,096 Views
Last Modified: 2012-05-10
I need to know how to securely allow Skype through our Forefront TMG 2010 firewall. Everything I read so far tells me that I need to open up ALL outbound TCP ports. That is something we do not want to do. Is there a way to allow Skype securely through the TMG firewall?
0
Comment
Question by:Penflex
  • 2
3 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 33734477
Well,..there is no such thing as "securely allowing" it.   You either allow it,...or you don't,...period.   You're begging from trouble,...run as far and as fast from Skype as you can.
Skype tunnels over HTTP as far as I know,...so if you allow HTTP,...then Skype should already "just work",...at least for outbound calls.  I'm not sure that inbound calls are even possible outside of a "home user" environment or in business that run their networks like a "home user" network.
Most people are writing in asking how to block it because it is so difficult to keep it from working.
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 250 total points
ID: 33739146
http://www.skype.com/intl/en-us/support/user-guides/firewalls/technical/

Quote from Skype support

¿Ideally, outgoing TCP connections to all ports (1.65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype connection to be able to connect to the Skype network and will not make your network any less secure.
¿If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
¿If the above does not solve the problem, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work.
¿If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
¿Please use our problem reporting form to report details of all instances when you have experienced a problem with Skype and a firewall.

Just allow HTTPS and HTTP and that is it.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 33744100
These are the only viable options:
#2.  ¿If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
(But will fail with TMG if SSL Inspection is enabled,...will fail for the same reason that doing non-http on port 80 fails.)
#4. If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
However it is most likely that Skype will not be capable of authentication with the proxy,...so the Access Rule would have to be anonymous if your running Skype as a Web Proxy Client (using Browser Proxy Settings)
Option #1 of allowing everything outbound would work but is only sensible in a Home-User network
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Change Default Gateway on Exchange Server 7 443
isa 2006 pptp & l2tp & pre-shared key 13 831
HTTPS vs ISA Server 31 1,955
Unable to get to specific websites via ISA Server proxy 3 179
Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question