Solved

How do I securely allow Skype from a Forefront TMG protected network?

Posted on 2010-09-21
3
6,125 Views
Last Modified: 2012-05-10
I need to know how to securely allow Skype through our Forefront TMG 2010 firewall. Everything I read so far tells me that I need to open up ALL outbound TCP ports. That is something we do not want to do. Is there a way to allow Skype securely through the TMG firewall?
0
Comment
Question by:Penflex
  • 2
3 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 33734477
Well,..there is no such thing as "securely allowing" it.   You either allow it,...or you don't,...period.   You're begging from trouble,...run as far and as fast from Skype as you can.
Skype tunnels over HTTP as far as I know,...so if you allow HTTP,...then Skype should already "just work",...at least for outbound calls.  I'm not sure that inbound calls are even possible outside of a "home user" environment or in business that run their networks like a "home user" network.
Most people are writing in asking how to block it because it is so difficult to keep it from working.
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 250 total points
ID: 33739146
http://www.skype.com/intl/en-us/support/user-guides/firewalls/technical/

Quote from Skype support

¿Ideally, outgoing TCP connections to all ports (1.65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype connection to be able to connect to the Skype network and will not make your network any less secure.
¿If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
¿If the above does not solve the problem, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work.
¿If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
¿Please use our problem reporting form to report details of all instances when you have experienced a problem with Skype and a firewall.

Just allow HTTPS and HTTP and that is it.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 33744100
These are the only viable options:
#2.  ¿If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
(But will fail with TMG if SSL Inspection is enabled,...will fail for the same reason that doing non-http on port 80 fails.)
#4. If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
However it is most likely that Skype will not be capable of authentication with the proxy,...so the Access Rule would have to be anonymous if your running Skype as a Web Proxy Client (using Browser Proxy Settings)
Option #1 of allowing everything outbound would work but is only sensible in a Home-User network
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Change Default Gateway on Exchange Server 7 460
Spam Email 2 260
Upgrade TMG 2010 to Latest roll up 5 2 213
ISA 2006 RRAS and mirgrating to Server 2012 R2 3 38
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question