Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I securely allow Skype from a Forefront TMG protected network?

Posted on 2010-09-21
3
Medium Priority
?
6,319 Views
Last Modified: 2012-05-10
I need to know how to securely allow Skype through our Forefront TMG 2010 firewall. Everything I read so far tells me that I need to open up ALL outbound TCP ports. That is something we do not want to do. Is there a way to allow Skype securely through the TMG firewall?
0
Comment
Question by:Penflex
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 33734477
Well,..there is no such thing as "securely allowing" it.   You either allow it,...or you don't,...period.   You're begging from trouble,...run as far and as fast from Skype as you can.
Skype tunnels over HTTP as far as I know,...so if you allow HTTP,...then Skype should already "just work",...at least for outbound calls.  I'm not sure that inbound calls are even possible outside of a "home user" environment or in business that run their networks like a "home user" network.
Most people are writing in asking how to block it because it is so difficult to keep it from working.
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 1000 total points
ID: 33739146
http://www.skype.com/intl/en-us/support/user-guides/firewalls/technical/

Quote from Skype support

¿Ideally, outgoing TCP connections to all ports (1.65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype connection to be able to connect to the Skype network and will not make your network any less secure.
¿If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
¿If the above does not solve the problem, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work.
¿If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
¿Please use our problem reporting form to report details of all instances when you have experienced a problem with Skype and a firewall.

Just allow HTTPS and HTTP and that is it.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1000 total points
ID: 33744100
These are the only viable options:
#2.  ¿If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
(But will fail with TMG if SSL Inspection is enabled,...will fail for the same reason that doing non-http on port 80 fails.)
#4. If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
However it is most likely that Skype will not be capable of authentication with the proxy,...so the Access Rule would have to be anonymous if your running Skype as a Web Proxy Client (using Browser Proxy Settings)
Option #1 of allowing everything outbound would work but is only sensible in a Home-User network
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question