Solved

How do I securely allow Skype from a Forefront TMG protected network?

Posted on 2010-09-21
3
5,996 Views
Last Modified: 2012-05-10
I need to know how to securely allow Skype through our Forefront TMG 2010 firewall. Everything I read so far tells me that I need to open up ALL outbound TCP ports. That is something we do not want to do. Is there a way to allow Skype securely through the TMG firewall?
0
Comment
Question by:Penflex
  • 2
3 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 33734477
Well,..there is no such thing as "securely allowing" it.   You either allow it,...or you don't,...period.   You're begging from trouble,...run as far and as fast from Skype as you can.
Skype tunnels over HTTP as far as I know,...so if you allow HTTP,...then Skype should already "just work",...at least for outbound calls.  I'm not sure that inbound calls are even possible outside of a "home user" environment or in business that run their networks like a "home user" network.
Most people are writing in asking how to block it because it is so difficult to keep it from working.
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 250 total points
ID: 33739146
http://www.skype.com/intl/en-us/support/user-guides/firewalls/technical/

Quote from Skype support

¿Ideally, outgoing TCP connections to all ports (1.65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype connection to be able to connect to the Skype network and will not make your network any less secure.
¿If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
¿If the above does not solve the problem, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work.
¿If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
¿Please use our problem reporting form to report details of all instances when you have experienced a problem with Skype and a firewall.

Just allow HTTPS and HTTP and that is it.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 33744100
These are the only viable options:
#2.  ¿If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
(But will fail with TMG if SSL Inspection is enabled,...will fail for the same reason that doing non-http on port 80 fails.)
#4. If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
However it is most likely that Skype will not be capable of authentication with the proxy,...so the Access Rule would have to be anonymous if your running Skype as a Web Proxy Client (using Browser Proxy Settings)
Option #1 of allowing everything outbound would work but is only sensible in a Home-User network
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now