Welcome to ISAserver.org

Skype with ISA 2000 - direct access

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> General >> Skype with ISA 2000 - direct access

Page: [1]

Message

<< Older Topic Newer Topic >>

Skype with ISA 2000 - direct access - 23.Aug.2005 4:45:00 AM

dingbat

Posts: 4
Joined: 23.Aug.2005
Status: offline

Hi, wondering if any Skype and ISA2000/2004 users have made any improvements to the way Skype works through ISA.

Obviously Skype is designed to work through any firewall, using relays (Super nodes), but I'm finding this adds to the delay (roundtrip) and dropouts.

Skype allows you to set a specific incoming port to allow direct access. Despite publishing this to my machine in ISA, and allowing it through my firewall, I'm yet to get Skype to make a direct connection.

You can see this in the call status window (when you mouseover the caller) - the connection type shows "RELAY_TCP" and the local UDP status is bad. I'm assuming that means Skype is not able to get a direct connection through ISA (NAT) and my hardware firewall (which ISN'T natting).

I have a protocol rule to allow the outgoing port with all high number ports as secondarys (as per a post to the boards here).

Just to confirm, Skype is working through ISA, but not able to allow a direct connection in to avoid relays.

I figure there is no way to improve the QoS given the Skype protocol is proprietary and doesn't use specific ports.

Thanks

Post #: 1

Featured Links*

RE: Skype with ISA 2000 - direct access - 23.Aug.2005 5:31:00 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

2000 or 2004?

(in reply to dingbat)

Post #: 2

RE: Skype with ISA 2000 - direct access - 25.Aug.2005 1:10:00 AM

dingbat

Posts: 4
Joined: 23.Aug.2005
Status: offline

Tom, ISA 2000. My apologies for subjecting it ISA 2000 but putting it in the ISA 2004 section! :-(

I had previously posted an IPSec question that was for ISA 2004, so forgot which section I should be in! The fun of supporting SBS at many sites.

Anyway, I have done some more tinkering with Skype, and reviewing the firewall logs for ISA 2000 when it tries to connect. I turned on the Firewall Client to get better logging and ensure the rules can apply everything required.

I found that it pretty much tries to connect to any high numbered UDP and TCP port, in additional to 80 and 443.

Adding a rule with 443 outbound and secondary connections for 1024-65530 helped a lot... but still I'm not convinced.

My thinking is that Skype is great for the home users, but not really suited to a network protected by ISA. The fact that it really wants all ports open outbound isn't fantastic in my book. Plus there's no way to prioritise traffic because you have no idea how it is coming on.

Anyway, if you have any further insight from your experience, would be interested to hear it.

Thanks

(in reply to dingbat)

Post #: 3

RE: Skype with ISA 2000 - direct access - 25.Aug.2005 6:49:00 AM

tshinder

Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi DBT,

I use Skype from time to time -- but you need to use the Firewall client (probably). I've not studied the Skype docs to determine what protocols it uses.

Tom

(in reply to dingbat)

Post #: 4

RE: Skype with ISA 2000 - direct access - 12.Sep.2005 5:10:00 AM

jbland

Posts: 12
Joined: 12.Sep.2005
From: UK
Status: offline

Hi I'm all new to this so excuse me missing anything.

I run ISA 2000 and currently trying to allow users to use Skype. Access is set-up by Domain Users.

I have configured outbound tcp 443 (as default) and set-up secondary tcp ports from 1024 to 65535, but Skype will not connect.

If I set-up a rule to allow all traffic to all destinations by client address sets and bypass the domain users this allows skype to connect but obviously I do not want to change all the currently configured settings.

Does anyone know a fix for this? all I want to be able to do is allow users the ability to use Skype behind ISA 2000.

Thank you.

(in reply to dingbat)

Post #: 5

RE: Skype with ISA 2000 - direct access - 12.Sep.2005 2:36:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi jbland,

check out http://www.skype.com/security/ .

HTH,
Stefaan

(in reply to dingbat)

Post #: 6

RE: Skype with ISA 2000 - direct access - 13.Sep.2005 11:42:00 AM

jbland

Posts: 12
Joined: 12.Sep.2005
From: UK
Status: offline

Hi Stephan thanks for your reply unfortunately I cannot get Skype to work even after allowing the specified ports in ISA 2000.

Can you provide anymore help?

Jon.

(in reply to dingbat)

Post #: 7

RE: Skype with ISA 2000 - direct access - 13.Sep.2005 2:20:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi jbland,

I never worked with Skype. However, according to the 'Network Administrators Guide' there are two ways to get it working:

1. through HTTP (TCP port 80) and HTTPS (TCP port 443). In that case authenticated proxies should be supported and Skype picks up the IE proxy settings. Do you have enabled content checking on the rule allowing Skype?

2. use the Firewall client instead and give full outbound access to the Skype users. The result should a better sound quality.

Also, in the doc they recommend to disable IP Fragment filtering.

HTH,
Stefaan

(in reply to dingbat)

Post #: 8

RE: Skype with ISA 2000 - direct access - 15.Sep.2005 10:17:00 AM

jbland

Posts: 12
Joined: 12.Sep.2005
From: UK
Status: offline

Thanks for your post.

I have created 3 protocol rules:

1. to allow tcp outbound from ports 1 to 65535
2. to allow tcp outbound from ports 1 to 443
3. to allow tcp outbound on port 80

If I set up an allow site and content group rule for all external destinations Skype does work and connect but obviously users can access everything! Can anyone help?

(in reply to dingbat)

Post #: 9

RE: Skype with ISA 2000 - direct access - 15.Sep.2005 5:27:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi jbland,

as far as I understand the way Skype works, you do *not* know in advance which destination will be contacted. So, you have to allow access to any destination. In other words, full outbound access is needed.

BTW --- who said that Skype was firewall friendly and secure? [Big Grin]

HTH,
Stefaan

(in reply to dingbat)

Post #: 10

RE: Skype with ISA 2000 - direct access - 20.Sep.2005 4:06:00 AM

jbland

Posts: 12
Joined: 12.Sep.2005
From: UK
Status: offline

Thanks Stefaan.

Can anyone detail what you ports, protocols and direction that you should set-up in ISA 200 please? Just so I can confirm that I have done this correctly...

(in reply to dingbat)

Post #: 11

RE: Skype with ISA 2000 - direct access - 20.Sep.2005 2:24:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi jbland,

start with allowing all outbound connections to any destination and all content and see how it works. Of course, you'll need the Firewall client on the Skype host.

HTH,
Stefaan

(in reply to dingbat)

Post #: 12

RE: Skype with ISA 2000 - direct access - 21.Sep.2005 8:42:00 AM