[isalist] Skype not working over TMG 2010 Standard
- From: Rob Moore <RMoore@xxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 15 Apr 2010 13:51:45 -0400
I'm in the early stages of transitioning from ISA 2006 Standard to TMG 2010
Standard. I've re-created most of my rules (except for most of the server
publishing rules). I've got my computer using the TMG firewall, so I can
troubleshoot problems. I'm still working through Jim's book and solving various
problems as they come up. (I was able to fix a certificate problem that was
making HTTPS inspection fail when connecting to Gmail.)
My latest problem is Skype. It worked fine via ISA with no special rules. Skype
is not connecting through TMG, though. Monitoring on TMG, I get a lot of errors
where my computer is trying to connect over funky high-numbered UDP ports. The
errors look like this:
Client Agent Authenticated Client Service Referring Server
Destination Host Name Transport HTTP Method Filter
Information MIME Type Object Source Cache Information
Error Information Source Port Session Type
Bidirectional Network Interface Raw IP Header Raw Payload
Processing Time Bytes Sent Bytes Received Original Client IP
GMT Log Time Authentication Server UAG Array Id UAG
Version UAG Module Id UAG Id UAG Severity UAG Type
UAG Event Name UAG Session Id UAG Trunk Name
UAG Service Name UAG Error Code Internal Service Info
Log Field Client Application SHA1 Hash Client Application
Trust State Client Application Internal Name Client
Application Product Name Client Application Product Version
Client Application File Version Client Application Original File Name
Client FQDN URL Categorization Reason Forefront TMG Client
Version URL Destination Host Name Log Time Client IP
Destination IP Destination Port Protocol
Action NIS Scan Result NIS Signature NIS Application Protocol
Rule Result Code HTTP Status Code Client
Username Source Network Destination Network
URL Server Name URL Category Log Record Type
Malware Inspection Action Malware Inspection Result Threat
Name Threat Level Content Delivery Method Malware
Inspection Duration (msec) NAT Address Client Application Path
-
UDP - - - 0x0
0x0 24012
0 0 0
172.17.201.128 4/14/2010 6:28:51 PM - - 0
- 0 - - -
- - - 0 0
-
4/14/2010 2:28:51 PM 172.17.201.128 128.46.185.36 37373
Unidentified IP Traffic (UDP:37373) Denied Connection
Default rule 0xc004000d
FWX_E_POLICY_RULES_DENIED
Internal External - PHL-TMG1
- Firewall -
0 -
On the Skype website they say you should just open all TCP and UDP outbound
ports. That doesn't seem secure! They also say that Skype uses ports 443 and
80, but does not use HTTPS or HTTP over those ports.
I've done a lot of Googling and haven't found much help. I did find one
discussion on the ISAserver.org forums. The poster says he's found the
solution. The discussion ended with this post:
1. First of all, I want my TMG to check HTTPS => HTTPS Inspection=On
2. Create protocol that open outbound traffic
=>TCP(outbound)=1-65535
=>UDP(send receive)=1-65535
3. Create firewall rule for this protocol from Internal To Internet network
4. Install Forefront TMG Client (it's part of installation files) on local
computer, and allow its support on TMG server.
5. To restrict skype from using other rules (holes in other rules), add its
signature which will prevent such behavior.
6. Try to connect to skype network.
Is this what we've got to do? Open up all TCP outbound ports? Also, we've been
using ISA for several years, and so far (except for messing about with it a
little at the beginning) I've never installed the Firewall Client. I don't
remember what brought me to that decision, but there was a reason for it way
back when. I can revisit that if necessary. (Also, FWIW, we have a few Mac
clients on our network.)
We use Skype quite a bit to save money on phone calls. What do I need to do to
get it going? I'm hoping there's an easy, or at least straightforward, fix.
Thanks,
Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Helpdesk: 800-500-AFSC
Other related posts:
