• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Skype Signature

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Skype Signature Page: [1]
Login
Message << Older Topic   Newer Topic >>
Skype Signature - 22.Jan.2006 11:49:14 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
 
Hi,

Anyones knows Skype Signature.

Post #: 1
RE: Skype Signature - 22.Jan.2006 4:33:22 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi El,

Have you done a packet trace yet?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to elmajdal)
Post #: 2
RE: Skype Signature - 22.Jan.2006 4:45:22 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
hi Tom,

I'm not sure what do u mean in this.

(in reply to tshinder)
Post #: 3
RE: Skype Signature - 22.Jan.2006 8:59:26 PM   
Moez

 

Posts: 13
Joined: 14.May2003
From: Tunisia
Status: offline
Hi,

For the version Skype 2.0.0.69 its signature is :  User-Agent = Skype÷ 2.0

But Skype uses also the HTTPS protocol
From now on, the Skype customer tends to make connections with urls of the https://IPadress type and doesn't expose inevitably any more of use-agent.  All this thus makes its blocking more difficult.
If you are in this case, I think that it only solution is to block the HTTPS and to authorize only the HTTPS Whitelist.

Thanks,



_____________________________

Moez Mezghani [MVP ISA Firewall]- Tunisia
http://fr.groups.yahoo.com/group/isaserver_Fr/
http://www.waykos.com/
http://moez.zeblog.com/

(in reply to elmajdal)
Post #: 4
RE: Skype Signature - 22.Jan.2006 9:09:51 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
hey Moez,
 
can u tell me how i can know the signature of an application, Tom said something about packet trace , but i never tried it or know how.

so how did u know the signature of skype .

i liked the idea of the whitelist for https ,but i think iam going to have milion calls to add this and that site

 
Thanks

(in reply to Moez)
Post #: 5
RE: Skype Signature - 22.Jan.2006 9:27:37 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
quote:

ORIGINAL: Moez
...I think that it only solution is to block the HTTPS and to authorize only the HTTPS Whitelist.

That's the way I run my ISA.  No unlimited HTTPS access for most users.  If my users want HTTPS access to a site, they need to prove that it is work-related and  necessary for their job.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to Moez)
Post #: 6
RE: Skype Signature - 22.Jan.2006 10:00:56 PM   
Moez

 

Posts: 13
Joined: 14.May2003
From: Tunisia
Status: offline
Hi elmajdal,

Just quick URL http://support.microsoft.com/kb/252876/en-us

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx#EXF

Thx,


_____________________________

Moez Mezghani [MVP ISA Firewall]- Tunisia
http://fr.groups.yahoo.com/group/isaserver_Fr/
http://www.waykos.com/
http://moez.zeblog.com/

(in reply to elmajdal)
Post #: 7
RE: Skype Signature - 22.Jan.2006 11:58:41 PM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
live longer , and u will learn more
never used Network Monitor before, this is a richfull info that i learned today

Thanks guys , thank Moez

(in reply to Moez)
Post #: 8
RE: Skype Signature - 23.Jan.2006 5:02:58 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: Moez

Hi,

For the version Skype 2.0.0.69 its signature is :  User-Agent = Skype÷ 2.0

But Skype uses also the HTTPS protocol
From now on, the Skype customer tends to make connections with urls of the https://IPadress type and doesn't expose inevitably any more of use-agent.  All this thus makes its blocking more difficult.
If you are in this case, I think that it only solution is to block the HTTPS and to authorize only the HTTPS Whitelist.

Thanks,




Hi Moez,

Thanks!

Yes, I agree. You should allow SSL only to trusted sites.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Moez)
Post #: 9
RE: Skype Signature - 26.Jan.2006 5:22:26 PM   
pix

 

Posts: 55
Joined: 29.May2001
From: Melton, Leics, UK
Status: offline
PLs excuse ignorance, but why should you only allow SSL to trusted sites?

(in reply to tshinder)
Post #: 10
RE: Skype Signature - 27.Jan.2006 6:37:53 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Pix,

Check out:

http://msmvps.com/blogs/shinder/articles/12268.aspx

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to pix)
Post #: 11
RE: Skype Signature - 27.Jan.2006 6:52:30 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
You should also mention all those anonymous proxies that are popping up like mushrooms on the internet.  Some of them try to legitimize themselves as "security", protecting your privacy while others flaunt the fact that they do such a good job that you can surf porn from your office with impunity.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to tshinder)
Post #: 12
RE: Skype Signature - 28.Jan.2006 6:49:59 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Les,

Excellent point. What really chaps my hide is that they advertise themselves as a way to "get around restrictive firewalls".

Ahmm..well, isn't that what the firewalls are for? To restrict unapproved traffic?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to LLigetfa)
Post #: 13
RE: Skype Signature - 28.Jan.2006 7:19:29 PM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Ja, well... they certainly do work as advertised.  My company decided to centrallize their content management onto an SGS box at the onramp.  Surprisingly, it does not block these anonymous proxies and if I were to allow unlimited HTTPS, my ISA cannot do content inspection either.  I have no choice but to allow only a WhiteList of HTTPS sites, much to the shagrin of my users.  I am just now going live with ISA doing a staged rollout and users that were used to getting unlimited access with my old MSP2 are now suffering the GoldFish syndrome.

_____________________________

The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.

(in reply to tshinder)
Post #: 14
RE: Skype Signature - 29.Jan.2006 4:30:14 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Les,

Ha! Good one

Same here. SSL to only pre-approved site. If the user wants access to GoToMyPC, he's going to have to come to me first, and I'm going to say no if remote access VPN or RDP not part of corporate security policy.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to LLigetfa)
Post #: 15
RE: Skype Signature - 8.Feb.2006 10:14:08 AM   
j

 

Posts: 15
Joined: 19.Nov.2005
Status: offline
 
Hi

block the skype domains for initial sign on perhaps ?

Even better lock down the users pc's with smart gpo's and ensure they have no rights on their pc's aswell so they can't even install or run it.

arh the curse of Im's.

j

(in reply to tshinder)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Skype Signature Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts