• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Allow Skype to connect in TMG

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Allow Skype to connect in TMG Page: [1]
Login
Message << Older Topic   Newer Topic >>
Allow Skype to connect in TMG - 20.Sep.2009 3:27:29 AM   
Peter.D

 

Posts: 13
Joined: 20.Sep.2009
From: New Zealand
Status: offline
Hi,

First, I am pretty new to ISA. Currently I have a server running with TMG Beta 3 on it to mess around with it and get my head around ISA in general. So far so good.

However, I am unable to figure out what I need to do in order to let Skype through. Tried setting up a port rule but to now avail and I am stuck.

If somebody could walk me through this it would be much appreciated.

_____________________________

Peter Duynstee
Post #: 1
RE: Allow Skype to connect in TMG - 22.Sep.2009 9:30:55 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
According to this:
http://www.skype.com/help/guides/firewalls/technical.html
If you don't want to swiss cheese the firewall, you can try to create a rule allowing https(tcp port 443) for the Skype machine, and add this machine to the source exceptions of the HTTPS inspection, as the HTTPS inspection should normally "break" Skype communications over TCP port 443 due to the nature of Skype's traffic(unless they upgrade Skype or so).
I know this does not sound nice, but this comes to my mind right now...

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Peter.D)
Post #: 2
RE: Allow Skype to connect in TMG - 27.Sep.2009 10:14:46 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Maybe configure the Skype site for Direct Access, so that it bypasses the Web proxy filter?

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to adimcev)
Post #: 3
RE: Allow Skype to connect in TMG - 28.Sep.2009 7:37:39 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Hi Tom,

I think it would be a problem in that Skype uses p2p, so how will we know the destination site(s) ?
http://www.skype.com/help/guides/p2pexplained/

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 4
RE: Allow Skype to connect in TMG - 28.Sep.2009 9:33:58 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Adrian,

Hmmm. Good point. Looks like Direct Access won't work in this scenario.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to adimcev)
Post #: 5
RE: Allow Skype to connect in TMG - 25.Nov.2009 4:42:04 AM   
awj

 

Posts: 107
Joined: 26.Feb.2004
From: UK
Status: offline
Did anyone have any success with this, i have also been looking into getting Skype to work with TMG but as the destination is unknown for Skype due to the P2P nature of it i can't see how to create an exception rule.

(in reply to tshinder)
Post #: 6
RE: Allow Skype to connect in TMG - 26.Nov.2009 10:32:38 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
It worked for me a little bit brutal today(as I needed access quickly):
- unbind the web proxy filter from the HTTPS protocol(to "correct" the pre-connect behavior). A sort of a forced HTTPS "direct access".
- configure my Skype machine as SecureNAT client.
- added my machine to the source exclusions of the HTTPS inspection.

Might be ways more gentle to do this though...

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to awj)
Post #: 7
RE: Allow Skype to connect in TMG - 10.Dec.2009 9:43:20 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Adrian,

You should you needed to unbind the Web proxy filter from the HTTP protocol?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to adimcev)
Post #: 8
RE: Allow Skype to connect in TMG - 10.Dec.2009 9:47:09 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
Pick a port number...Configure Skype to use this port...

Create an access rule for Skype's outgoing traffic. Create a publishing rule to the Skype PC for the incoming Skype traffic using the same port number. Doddle.....

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to tshinder)
Post #: 9
RE: Allow Skype to connect in TMG - 10.Dec.2009 10:23:02 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Actually the outgoing Skype traffic is the problem...
https://support.skype.com/en/faq/FA148/I-can-t-connect-to-Skype-from-work-or-due-to-a-restrictive-firewall-Which-ports-need-to-be-opened-in-order-to-use-Skype?frompage=category
You don't want the HTTPS inspection or the web proxy to "intercept" this.
It cannot go natively over TCP port 80 as is not uses HTTP, it tries to use TCP 443 directly or tunnel through a web proxy(TCP 443 one more time).

If you can detail on that rule allowing outgoing traffic if you have a working configuration , I'm sure the OP will be more than thankful to you.
I rarely use Skype, for my personal needs it kinda worked like above(very insecure way of doing it...).

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to SteveMoffat)
Post #: 10
RE: Allow Skype to connect in TMG - 10.Dec.2009 10:34:50 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Hi Tom,

Like trying to let Skype connect over TCP port 80 ?
Could work, I don't know. Skype seem to not be very security gateway friendly.
Maybe Steve can detail more about his outgoing rule.

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to adimcev)
Post #: 11
RE: Allow Skype to connect in TMG - 10.Dec.2009 1:09:28 PM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
I've never had an issue at all with Skype thru ISA 2000 - TMG

I have created a access rule for TCP outbound 24783 from the web to my pc...just a random number that I thought of.

Skype communicates to the outside on the same port that is encompassed on my allow all for me cos I'm the boss rule...

FW Client is installed.

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to adimcev)
Post #: 12
RE: Allow Skype to connect in TMG - 20.Jan.2010 9:41:27 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
For skype, I think it uses a complex protocol requiring mulitple inbound and/or outbound connections, so FWC would be required.

I could see how outbound SSL inspection could create problems, so that would probably need to be disabled.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to SteveMoffat)
Post #: 13
RE: Allow Skype to connect in TMG - 16.Feb.2010 6:31:34 AM   
TreeFox

 

Posts: 18
Joined: 4.Feb.2010
From: Czech Rep.
Status: offline
Well, I allowed the port range (UDP/TCP 1-65535) for skype, even unbind the proxy filter and added my PC to HTTPS source exception, but as far as I can tell, if I have HTTPS inspection turned on skype does not connect. When I turned HTTPS inspection off, skype connects almost immediately.

Do you have any idea how to get skype through and still keep HTTPS inspection on???

Thanks.

< Message edited by TreeFox -- 17.Feb.2010 1:19:27 AM >


_____________________________

Jan Hroch

(in reply to tshinder)
Post #: 14
RE: Allow Skype to connect in TMG - 8.Mar.2010 6:41:21 AM   
TreeFox

 

Posts: 18
Joined: 4.Feb.2010
From: Czech Rep.
Status: offline
I've finally found the solution to make skype work...

1. Fist of all, I want my TMG to check HTTPS => HTTPS Inspection=On
2. Create protocol that open outbound traffic
   =>TCP(outbound)=1-65535
   =>UDP(send receive)=1-65535
3. Create firewall rule for this protocol from Internal To Internet network
4. Install Forefront TMG Client (it's part of installation files) on local computer, and allow its support on TMG server.
5. To restrict skype from using other rules (holes in other rules), add its signature which will prevent such behavior.
6. Try to connect to skype network.

< Message edited by TreeFox -- 8.Mar.2010 7:05:56 AM >


_____________________________

Jan Hroch

(in reply to TreeFox)
Post #: 15
RE: Allow Skype to connect in TMG - 14.Jun.2013 5:52:07 PM   
THX

 

Posts: 107
Joined: 8.Aug.2007
Status: offline
TreeFox: What is the Skype signature that you used?

Were you still able to get this to work with HTTPS Inspection enabled?

(in reply to TreeFox)
Post #: 16
RE: Allow Skype to connect in TMG - 24.Jun.2013 5:50:40 AM   
mariya

 

Posts: 1
Joined: 24.Jun.2013
Status: offline
very nice post

_____________________________

learnspanishonline learn to speak spanish online
ileatherworld ileatherworld motorcycle jackets for men

(in reply to THX)
Post #: 17
RE: Allow Skype to connect in TMG - 14.Jul.2013 1:55:20 AM   
wangpanpan

 

Posts: 2
Joined: 12.Jul.2013
Status: offline
I'm sophy and you known Cheap WOW Gold

and RS Gold.

And Cheap Diablo 3 Gold

Yes ,I like

(in reply to Peter.D)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Threat Management Gateway (TMG) 2010] >> General >> Allow Skype to connect in TMG Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts