Does anyone know how to allow Skype? I'm able to log on to skype but when in tries to connect e.g. make a call it fails.
I've tried via secure nat client but also fails to connect.
In skype I filled in proxy settings (even with usern./password) but this doesn't work neither
I've noticed that you can block application via signature for http traffic but is it possible to allow signature (e.g. skype). I've read a lot on the forum that the isa doesn't block skype standaard and that they want to allow it but in my case I didn't need to do anything to block it.
If anyone has ideas let me know, the ISA need to allow this else I cannot put it in production environment.
< Message edited by Nik007 -- 18.Oct.2006 4:25:55 PM >
according to that Skype webpage, Skype do *not* use the HTTP protocol. Therefore I suggest you create a test rule which allows all outbound traffic for all users and test if Skype works then assuming the host is configured as a SecureNAT and/or Firewall client. Do *not* use any proxy settings in Skype or IE for this test.
I've created a test rule which allows all outbound traffic for all users. Client = secnat/webproxy and it works. I didn't use proxy in skype. I'm not so familiar with the monitoring (live) but I can see it trying over http(s) and a lot of other destination ports e.g. 33033 Unidentified IP Traffic Denied Connection. I've created a rule which allowed port 33033, http, https for all users but it doesn't work.
Stefaan according to that skype webpage it's trying http(s)
If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 or later.
If the above is not possible, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work.
as far as I can tell Skype can use TCP port 80 or 443 under the assumption that no content checking is done because the traffic is neither HTTP nor HTTPS compliant. In other words Skype assumes it can make use of the protocols UFBP (Universal Firewall Bypass Protocol aka TCP port 80) or SUFBP (Secure Universal Firewall Bypass Protocol aka TCP port 443).
Skype suggests to allow all outbound traffic (that means all protocols) to all destinations. Are you willing to do that? I don't think so because that would mean you only need to have *one* access rule that allows everything outbound, regardless of any policy you would otherwise define.
So, if you have to support Skype I think that you'll need at least version 0.97 and make sure that you allow HTTPS to all destinations (External) for all users. Next, do NOT set any proxy server in Skype. In other words, make sure that those requests are sent as SecureNAT or Firewall client requests. In that case that HTTPS traffic will not be redirected and inspected by the Web Proxy filter.