Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do I securely allow Skype from a Forefront TMG protected network?

Posted on 2010-09-21
3
Medium Priority
?
6,372 Views
Last Modified: 2012-05-10
I need to know how to securely allow Skype through our Forefront TMG 2010 firewall. Everything I read so far tells me that I need to open up ALL outbound TCP ports. That is something we do not want to do. Is there a way to allow Skype securely through the TMG firewall?
0
Comment
Question by:Penflex
  • 2
3 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 33734477
Well,..there is no such thing as "securely allowing" it.   You either allow it,...or you don't,...period.   You're begging from trouble,...run as far and as fast from Skype as you can.
Skype tunnels over HTTP as far as I know,...so if you allow HTTP,...then Skype should already "just work",...at least for outbound calls.  I'm not sure that inbound calls are even possible outside of a "home user" environment or in business that run their networks like a "home user" network.
Most people are writing in asking how to block it because it is so difficult to keep it from working.
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 1000 total points
ID: 33739146
http://www.skype.com/intl/en-us/support/user-guides/firewalls/technical/

Quote from Skype support

¿Ideally, outgoing TCP connections to all ports (1.65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype connection to be able to connect to the Skype network and will not make your network any less secure.
¿If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
¿If the above does not solve the problem, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work.
¿If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
¿Please use our problem reporting form to report details of all instances when you have experienced a problem with Skype and a firewall.

Just allow HTTPS and HTTP and that is it.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1000 total points
ID: 33744100
These are the only viable options:
#2.  ¿If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 and above.
(But will fail with TMG if SSL Inspection is enabled,...will fail for the same reason that doing non-http on port 80 fails.)
#4. If the above is not possible, Skype versions 0.97 and above can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Skype will then be able to use it as well.
However it is most likely that Skype will not be capable of authentication with the proxy,...so the Access Rule would have to be anonymous if your running Skype as a Web Proxy Client (using Browser Proxy Settings)
Option #1 of allowing everything outbound would work but is only sensible in a Home-User network
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question