I'm in the early stages of transitioning from ISA 2006 Standard to TMG 2010 Standard. I've re-created most of my rules (except for most of the server publishing rules). I've got my computer using the TMG firewall, so I can troubleshoot problems. I'm still working through Jim's book and solving various problems as they come up. (I was able to fix a certificate problem that was making HTTPS inspection fail when connecting to Gmail.) My latest problem is Skype. It worked fine via ISA with no special rules. Skype is not connecting through TMG, though. Monitoring on TMG, I get a lot of errors where my computer is trying to connect over funky high-numbered UDP ports. The errors look like this: Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method Filter Information MIME Type Object Source Cache Information Error Information Source Port Session Type Bidirectional Network Interface Raw IP Header Raw Payload Processing Time Bytes Sent Bytes Received Original Client IP GMT Log Time Authentication Server UAG Array Id UAG Version UAG Module Id UAG Id UAG Severity UAG Type UAG Event Name UAG Session Id UAG Trunk Name UAG Service Name UAG Error Code Internal Service Info Log Field Client Application SHA1 Hash Client Application Trust State Client Application Internal Name Client Application Product Name Client Application Product Version Client Application File Version Client Application Original File Name Client FQDN URL Categorization Reason Forefront TMG Client Version URL Destination Host Name Log Time Client IP Destination IP Destination Port Protocol Action NIS Scan Result NIS Signature NIS Application Protocol Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name URL Category Log Record Type Malware Inspection Action Malware Inspection Result Threat Name Threat Level Content Delivery Method Malware Inspection Duration (msec) NAT Address Client Application Path - UDP - - - 0x0 0x0 24012 0 0 0 172.17.201.128 4/14/2010 6:28:51 PM - - 0 - 0 - - - - - - 0 0 - 4/14/2010 2:28:51 PM 172.17.201.128 128.46.185.36 37373 Unidentified IP Traffic (UDP:37373) Denied Connection Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED Internal External - PHL-TMG1 - Firewall - 0 - On the Skype website they say you should just open all TCP and UDP outbound ports. That doesn't seem secure! They also say that Skype uses ports 443 and 80, but does not use HTTPS or HTTP over those ports. I've done a lot of Googling and haven't found much help. I did find one discussion on the ISAserver.org forums. The poster says he's found the solution. The discussion ended with this post: 1. First of all, I want my TMG to check HTTPS => HTTPS Inspection=On 2. Create protocol that open outbound traffic =>TCP(outbound)=1-65535 =>UDP(send receive)=1-65535 3. Create firewall rule for this protocol from Internal To Internet network 4. Install Forefront TMG Client (it's part of installation files) on local computer, and allow its support on TMG server. 5. To restrict skype from using other rules (holes in other rules), add its signature which will prevent such behavior. 6. Try to connect to skype network. Is this what we've got to do? Open up all TCP outbound ports? Also, we've been using ISA for several years, and so far (except for messing about with it a little at the beginning) I've never installed the Firewall Client. I don't remember what brought me to that decision, but there was a reason for it way back when. I can revisit that if necessary. (Also, FWIW, we have a few Mac clients on our network.) We use Skype quite a bit to save money on phone calls. What do I need to do to get it going? I'm hoping there's an easy, or at least straightforward, fix. Thanks, Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Helpdesk: 800-500-AFSC