[isalist] Re: Skype not working over TMG 2010 Standard
- From: "Mayo, Bill" <bemayo@xxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 16 Apr 2010 09:59:17 -0400
We don't have people using Skype, so I don't know what is required.
What I can comment on is the part about the Firewall Client (in the
context of ISA 2006). For Windows clients, the Firewall Client is the
only way to provide user authenticated access to protocols other than
http/ftp, so that is where the decision comes in. The Firewall Client
hooks into the networking functions of Windows and directs requests as
necessary to ISA, transparent to the application. If you want to
provide access to something other than http/ftp (which is handled by the
web proxy) you are going to have to decide between the Firewall Client
and SecureNAT (it sounds like you have been doing the latter). I don't
know of any reason why you couldn't do the same thing described below
without the Firewall Client, but I don't know for sure.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Rob Moore
Sent: Friday, April 16, 2010 9:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Skype not working over TMG 2010 Standard
No answers or thoughts at all? No one else has run into this problem?
Found the right way to solve it? Nothing? Maybe the list has just been
dead for the last 24 hours. J
It's kind of a deal breaker for me, because we use Skype in our business
a lot (we are a non-profit with offices all over the world and Skype
saves us a LOT of money on phone calling). I've got to get it going or
I'll have to stick with ISA 2006. I've actually started contemplating
using TMG 2010 to publish our servers and sticking with ISA 2006 or some
other solution for user access to the Internet. Obviously not ideal.
Thanks for any input or thoughts you might have.
Rob
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Rob Moore
Sent: Thursday, April 15, 2010 1:52 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Skype not working over TMG 2010 Standard
I'm in the early stages of transitioning from ISA 2006 Standard to TMG
2010 Standard. I've re-created most of my rules (except for most of the
server publishing rules). I've got my computer using the TMG firewall,
so I can troubleshoot problems. I'm still working through Jim's book and
solving various problems as they come up. (I was able to fix a
certificate problem that was making HTTPS inspection fail when
connecting to Gmail.)
My latest problem is Skype. It worked fine via ISA with no special
rules. Skype is not connecting through TMG, though. Monitoring on TMG, I
get a lot of errors where my computer is trying to connect over funky
high-numbered UDP ports. The errors look like this:
Client Agent Authenticated Client Service Referring Server
Destination Host Name Transport HTTP Method
Filter Information MIME Type Object Source Cache
Information Error Information Source Port
Session Type Bidirectional Network Interface Raw IP
Header Raw Payload Processing Time Bytes Sent Bytes
Received Original Client IP GMT Log Time Authentication
Server UAG Array Id UAG Version UAG Module Id
UAG Id UAG Severity UAG Type UAG Event Name UAG
Session Id UAG Trunk Name UAG Service Name
UAG Error Code Internal Service Info Log Field
Client Application SHA1 Hash Client Application Trust State
Client Application Internal Name Client Application Product
Name Client Application Product Version Client
Application File Version Client Application Original File Name
Client FQDN URL Categorization Reason Forefront TMG
Client Version URL Destination Host Name Log Time
Client IP Destination IP Destination Port
Protocol Action NIS Scan Result NIS Signature NIS
Application Protocol Rule Result Code HTTP
Status Code Client Username Source Network
Destination Network URL Server Name URL Category Log
Record Type Malware Inspection Action Malware
Inspection Result Threat Name Threat Level Content
Delivery Method Malware Inspection Duration (msec)
NAT Address Client Application Path
-
UDP - - -
0x0 0x0 24012
0 0 0 172.17.201.128 4/14/2010
6:28:51 PM - - 0 -
0 - - - -
- - 0 0
- 4/14/2010 2:28:51 PM 172.17.201.128 128.46.185.36
37373 Unidentified IP Traffic (UDP:37373) Denied Connection
Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED
Internal External - PHL-TMG1
- Firewall
- 0 -
On the Skype website they say you should just open all TCP and UDP
outbound ports. That doesn't seem secure! They also say that Skype uses
ports 443 and 80, but does not use HTTPS or HTTP over those ports.
I've done a lot of Googling and haven't found much help. I did find one
discussion on the ISAserver.org forums. The poster says he's found the
solution. The discussion ended with this post:
1. First of all, I want my TMG to check HTTPS => HTTPS Inspection=On
2. Create protocol that open outbound traffic
=>TCP(outbound)=1-65535
=>UDP(send receive)=1-65535
3. Create firewall rule for this protocol from Internal To Internet
network
4. Install Forefront TMG Client (it's part of installation files) on
local computer, and allow its support on TMG server.
5. To restrict skype from using other rules (holes in other rules), add
its signature which will prevent such behavior.
6. Try to connect to skype network.
Is this what we've got to do? Open up all TCP outbound ports? Also,
we've been using ISA for several years, and so far (except for messing
about with it a little at the beginning) I've never installed the
Firewall Client. I don't remember what brought me to that decision, but
there was a reason for it way back when. I can revisit that if
necessary. (Also, FWIW, we have a few Mac clients on our network.)
We use Skype quite a bit to save money on phone calls. What do I need to
do to get it going? I'm hoping there's an easy, or at least
straightforward, fix.
Thanks,
Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Helpdesk: 800-500-AFSC
Other related posts:
