Posts: 13
Joined: 20.Sep.2009
From: New Zealand
Status: offline
Hi,
First, I am pretty new to ISA. Currently I have a server running with TMG Beta 3 on it to mess around with it and get my head around ISA in general. So far so good.
However, I am unable to figure out what I need to do in order to let Skype through. Tried setting up a port rule but to now avail and I am stuck.
If somebody could walk me through this it would be much appreciated.
According to this: http://www.skype.com/help/guides/firewalls/technical.html If you don't want to swiss cheese the firewall, you can try to create a rule allowing https(tcp port 443) for the Skype machine, and add this machine to the source exceptions of the HTTPS inspection, as the HTTPS inspection should normally "break" Skype communications over TCP port 443 due to the nature of Skype's traffic(unless they upgrade Skype or so). I know this does not sound nice, but this comes to my mind right now...
Posts: 107
Joined: 26.Feb.2004
From: UK
Status: offline
Did anyone have any success with this, i have also been looking into getting Skype to work with TMG but as the destination is unknown for Skype due to the P2P nature of it i can't see how to create an exception rule.
It worked for me a little bit brutal today(as I needed access quickly): - unbind the web proxy filter from the HTTPS protocol(to "correct" the pre-connect behavior). A sort of a forced HTTPS "direct access". - configure my Skype machine as SecureNAT client. - added my machine to the source exclusions of the HTTPS inspection.
Pick a port number...Configure Skype to use this port...
Create an access rule for Skype's outgoing traffic. Create a publishing rule to the Skype PC for the incoming Skype traffic using the same port number. Doddle.....
If you can detail on that rule allowing outgoing traffic if you have a working configuration , I'm sure the OP will be more than thankful to you. I rarely use Skype, for my personal needs it kinda worked like above(very insecure way of doing it...).
Like trying to let Skype connect over TCP port 80 ? Could work, I don't know. Skype seem to not be very security gateway friendly. Maybe Steve can detail more about his outgoing rule.
Well, I allowed the port range (UDP/TCP 1-65535) for skype, even unbind the proxy filter and added my PC to HTTPS source exception, but as far as I can tell, if I have HTTPS inspection turned on skype does not connect. When I turned HTTPS inspection off, skype connects almost immediately.
Do you have any idea how to get skype through and still keep HTTPS inspection on???
Thanks.
< Message edited by TreeFox -- 17.Feb.2010 1:19:27 AM >
I've finally found the solution to make skype work...
1. Fist of all, I want my TMG to check HTTPS => HTTPS Inspection=On 2. Create protocol that open outbound traffic =>TCP(outbound)=1-65535 =>UDP(send receive)=1-65535 3. Create firewall rule for this protocol from Internal To Internet network 4. Install Forefront TMG Client (it's part of installation files) on local computer, and allow its support on TMG server. 5. To restrict skype from using other rules (holes in other rules), add its signature which will prevent such behavior. 6. Try to connect to skype network.
< Message edited by TreeFox -- 8.Mar.2010 7:05:56 AM >
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Allow Skype to connect in TMG 
Allow Skype to connect in TMG - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread