Allow Skype to connect in TMG (Full Version)

All Forums >> [Threat Management Gateway (TMG) 2010] >> General



Message


Peter.D -> Allow Skype to connect in TMG (20.Sep.2009 3:27:29 AM)

Hi,

First, I am pretty new to ISA. Currently I have a server running with TMG Beta 3 on it to mess around with it and get my head around ISA in general. So far so good.

However, I am unable to figure out what I need to do in order to let Skype through. Tried setting up a port rule but to now avail and I am stuck.

If somebody could walk me through this it would be much appreciated.




adimcev -> RE: Allow Skype to connect in TMG (22.Sep.2009 9:30:55 AM)

According to this:
http://www.skype.com/help/guides/firewalls/technical.html
If you don't want to swiss cheese the firewall, you can try to create a rule allowing https(tcp port 443) for the Skype machine, and add this machine to the source exceptions of the HTTPS inspection, as the HTTPS inspection should normally "break" Skype communications over TCP port 443 due to the nature of Skype's traffic(unless they upgrade Skype or so).
I know this does not sound nice, but this comes to my mind right now...

Thanks,
Adrian




tshinder -> RE: Allow Skype to connect in TMG (27.Sep.2009 10:14:46 AM)

Maybe configure the Skype site for Direct Access, so that it bypasses the Web proxy filter?

HTH,
Tom




adimcev -> RE: Allow Skype to connect in TMG (28.Sep.2009 7:37:39 AM)

Hi Tom,

I think it would be a problem in that Skype uses p2p, so how will we know the destination site(s) ?
http://www.skype.com/help/guides/p2pexplained/

Thanks,
Adrian




tshinder -> RE: Allow Skype to connect in TMG (28.Sep.2009 9:33:58 AM)

Hi Adrian,

Hmmm. Good point. Looks like Direct Access won't work in this scenario.

Thanks!
Tom




awj -> RE: Allow Skype to connect in TMG (25.Nov.2009 4:42:04 AM)

Did anyone have any success with this, i have also been looking into getting Skype to work with TMG but as the destination is unknown for Skype due to the P2P nature of it i can't see how to create an exception rule.




adimcev -> RE: Allow Skype to connect in TMG (26.Nov.2009 10:32:38 AM)

It worked for me a little bit brutal today(as I needed access quickly):
- unbind the web proxy filter from the HTTPS protocol(to "correct" the pre-connect behavior). A sort of a forced HTTPS "direct access".
- configure my Skype machine as SecureNAT client.
- added my machine to the source exclusions of the HTTPS inspection.

Might be ways more gentle to do this though...

Thanks,
Adrian




tshinder -> RE: Allow Skype to connect in TMG (10.Dec.2009 9:43:20 AM)

Hi Adrian,

You should you needed to unbind the Web proxy filter from the HTTP protocol?

Thanks!
Tom




SteveMoffat -> RE: Allow Skype to connect in TMG (10.Dec.2009 9:47:09 AM)

Pick a port number...Configure Skype to use this port...

Create an access rule for Skype's outgoing traffic. Create a publishing rule to the Skype PC for the incoming Skype traffic using the same port number. Doddle.....




adimcev -> RE: Allow Skype to connect in TMG (10.Dec.2009 10:23:02 AM)

Actually the outgoing Skype traffic is the problem...
https://support.skype.com/en/faq/FA148/I-can-t-connect-to-Skype-from-work-or-due-to-a-restrictive-firewall-Which-ports-need-to-be-opened-in-order-to-use-Skype?frompage=category
You don't want the HTTPS inspection or the web proxy to "intercept" this.
It cannot go natively over TCP port 80 as is not uses HTTP, it tries to use TCP 443 directly or tunnel through a web proxy(TCP 443 one more time).

If you can detail on that rule allowing outgoing traffic if you have a working configuration , I'm sure the OP will be more than thankful to you.
I rarely use Skype, for my personal needs it kinda worked like above(very insecure way of doing it...).

Thanks,
Adrian




adimcev -> RE: Allow Skype to connect in TMG (10.Dec.2009 10:34:50 AM)

Hi Tom,

Like trying to let Skype connect over TCP port 80 ?
Could work, I don't know. Skype seem to not be very security gateway friendly.
Maybe Steve can detail more about his outgoing rule.

Thanks,
Adrian




SteveMoffat -> RE: Allow Skype to connect in TMG (10.Dec.2009 1:09:28 PM)

I've never had an issue at all with Skype thru ISA 2000 - TMG

I have created a access rule for TCP outbound 24783 from the web to my pc...just a random number that I thought of.

Skype communicates to the outside on the same port that is encompassed on my allow all for me cos I'm the boss rule...

FW Client is installed.[8D]




tshinder -> RE: Allow Skype to connect in TMG (20.Jan.2010 9:41:27 AM)

For skype, I think it uses a complex protocol requiring mulitple inbound and/or outbound connections, so FWC would be required.

I could see how outbound SSL inspection could create problems, so that would probably need to be disabled.

Thanks!
Tom




TreeFox -> RE: Allow Skype to connect in TMG (16.Feb.2010 6:31:34 AM)

Well, I allowed the port range (UDP/TCP 1-65535) for skype, even unbind the proxy filter and added my PC to HTTPS source exception, but as far as I can tell, if I have HTTPS inspection turned on skype does not connect. When I turned HTTPS inspection off, skype connects almost immediately.

Do you have any idea how to get skype through and still keep HTTPS inspection on???

Thanks.




TreeFox -> RE: Allow Skype to connect in TMG (8.Mar.2010 6:41:21 AM)

I've finally found the solution to make skype work...

1. Fist of all, I want my TMG to check HTTPS => HTTPS Inspection=On
2. Create protocol that open outbound traffic
   =>TCP(outbound)=1-65535
   =>UDP(send receive)=1-65535
3. Create firewall rule for this protocol from Internal To Internet network
4. Install Forefront TMG Client (it's part of installation files) on local computer, and allow its support on TMG server.
5. To restrict skype from using other rules (holes in other rules), add its signature which will prevent such behavior.
6. Try to connect to skype network.




THX -> RE: Allow Skype to connect in TMG (14.Jun.2013 5:52:07 PM)

TreeFox: What is the Skype signature that you used?

Were you still able to get this to work with HTTPS Inspection enabled?




mariya -> RE: Allow Skype to connect in TMG (24.Jun.2013 5:50:40 AM)

very nice post




wangpanpan -> RE: Allow Skype to connect in TMG (14.Jul.2013 1:55:20 AM)

I'm sophy and you known Cheap WOW Gold

and RS Gold.

And Cheap Diablo 3 Gold

Yes ,I like




Page: [1]