• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to allow skype

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> How to allow skype Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to allow skype - 6.Sep.2006 10:38:31 PM   
Nik007

 

Posts: 23
Joined: 25.Aug.2006
From: Belgium
Status: offline
Setup: ISA2004 Edge firewall SP2 running on Win2003 server
Client: Web Proxy (wpad via dhcp - IE on automatically detect settings)

A rule is created from internal to external http-https for the group "isa_access_internet"  Users which are in this group are able to surf the Internet. 

It seems that the port http and https isn't enough, but it shoud work regarding the following doc http://www.skype.com/help/guides/firewall.html

Thx


Post #: 1
RE: How to allow skype - 18.Oct.2006 4:24:48 PM   
Nik007

 

Posts: 23
Joined: 25.Aug.2006
From: Belgium
Status: offline
Does anyone know how to allow Skype?  I'm able to log on to skype but when in tries to connect e.g. make a call it fails. 

I've tried via secure nat client but also fails to connect. 

In skype I filled in proxy settings (even with usern./password) but this doesn't work neither

I've noticed that you can block application via signature for http traffic but is it possible to allow signature (e.g. skype).  I've read a lot on the forum that the isa doesn't block skype standaard and that they want to allow it but in my case I didn't need to do anything to block it.

If anyone has ideas let me know, the ISA need to allow this else I cannot put it in production environment.

< Message edited by Nik007 -- 18.Oct.2006 4:25:55 PM >

(in reply to Nik007)
Post #: 2
RE: How to allow skype - 18.Oct.2006 4:36:45 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Nik007,

according to that Skype webpage, Skype do *not* use the HTTP protocol. Therefore I suggest you create a test rule which allows all outbound traffic for all users and test if Skype works then assuming the host is configured as a SecureNAT and/or Firewall client. Do *not* use any proxy settings in Skype or IE for this test.

HTH,
Stefaan

(in reply to Nik007)
Post #: 3
RE: How to allow skype - 19.Oct.2006 2:38:35 PM   
Nik007

 

Posts: 23
Joined: 25.Aug.2006
From: Belgium
Status: offline
I've created a test rule which allows all outbound traffic for all users. Client = secnat/webproxy and it works.  I didn't use proxy in skype.  I'm not so familiar with the monitoring (live) but I can see it trying over http(s) and a lot of other destination ports e.g. 33033 Unidentified IP Traffic Denied Connection.
I've created a rule which allowed port 33033, http, https for all users but it doesn't work. 

Stefaan according to that skype webpage it's trying http(s)
 
  • If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 or later.
  • If the above is not possible, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work.

    (in reply to spouseele)
  • Post #: 4
    RE: How to allow skype - 19.Oct.2006 3:10:31 PM   
    spouseele

     

    Posts: 12830
    Joined: 1.Jun.2001
    From: Belgium
    Status: offline
    Hi Nik007,

    as far as I can tell Skype can use TCP port 80 or 443 under the assumption that no content checking is done because the traffic is neither HTTP nor HTTPS compliant. In other words Skype assumes it can make use of the protocols UFBP (Universal Firewall Bypass Protocol aka TCP port 80) or SUFBP (Secure Universal Firewall Bypass Protocol aka TCP port 443).

    Skype suggests to allow all outbound traffic (that means all protocols) to all destinations. Are you willing to do that? I don't think so because that would mean you only need to have *one* access rule that allows everything outbound, regardless of any policy you would otherwise define.

    So, if you have to support  Skype I think that you'll need at least version 0.97 and make sure that you allow HTTPS to all destinations (External) for all users. Next, do NOT set any proxy server in Skype. In other words, make sure that those requests are sent as SecureNAT or Firewall client requests. In that case that HTTPS traffic will not be redirected and inspected by the Web Proxy filter.

    BTW --- check out http://www.skype.com/security/guide-for-network-admins.pdf too.

    HTH,
    Stefaan

    (in reply to Nik007)
    Post #: 5
    RE: How to allow skype - 22.Oct.2006 1:00:23 AM   
    rajsrk

     

    Posts: 16
    Joined: 31.Oct.2002
    From: Bahrain
    Status: offline
    quote:

    ORIGINAL: Nik007

    Does anyone know how to allow Skype?  I'm able to log on to skype but when in tries to connect e.g. make a call it fails. 



    Nik007....Can you please update me on How you blocked Skype thru ISA...I had tried several options, but were not able to get through...

    Thanks in advance

    Rajesh

    (in reply to Nik007)
    Post #: 6
    RE: How to allow skype - 22.Oct.2006 6:20:21 AM   
    elmajdal

     

    Posts: 6022
    Joined: 16.Sep.2004
    From: Lebanese in Kuwait
    Status: offline
    quote:

    Nik007....Can you please update me on How you blocked Skype thru ISA...I had tried several options, but were not able to get through...


    The best way to block such software , is to use a whitelist HTTPS .


    _____________________________

    Tarek Majdalani

    Windows Expert - IT Pro MVP
    Facebook : https://www.facebook.com/ElMajdal.Net

    (in reply to rajsrk)
    Post #: 7
    RE: How to allow skype - 22.Oct.2006 8:06:58 AM   
    rajsrk

     

    Posts: 16
    Joined: 31.Oct.2002
    From: Bahrain
    Status: offline
    quote:

    ORIGINAL: elmajdal

    The best way to block such software , is to use a whitelist HTTPS .



    Can u update me on how to use whitelist HTTPS.....

    Thanks

    < Message edited by rajsrk -- 22.Oct.2006 8:08:06 AM >

    (in reply to elmajdal)
    Post #: 8

    Page:   [1] << Older Topic    Newer Topic >>
    All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> How to allow skype Page: [1]
    Jump to:

    New Messages No New Messages
    Hot Topic w/ New Messages Hot Topic w/o New Messages
    Locked w/ New Messages Locked w/o New Messages
     Post New Thread
     Reply to Message
     Post New Poll
     Submit Vote
     Delete My Own Post
     Delete My Own Thread
     Rate Posts