http://www.ISAserver.org ------------------------------------------------------- Rob, In our environment, Skype works over TMG... First I tried running Skype as a proxy client (with proxy authentication configured within the Skype client). Call quality was fair, there were some dropouts, but it worked... I configured Skype both manually and with its "Automatic proxy detection" settings. Worked fine with either, so long as I had valid credentials filled in under Connection > Enable Proxy Authentication in Skype. (We have WPAD configured, so I presume Skype is pulling the proxy config from WPAD, but I didn't confirm.....) Then I tried running Skype as a SecureNET client. (I have different IP ranges for which clients are allowed to pass SecureNET, so it's pretty easy to force the issue one way or the other....) Call quality was noticeably better as SecureNET and the time to Skype was ready to make a call was noticeably faster. In all cases, on startup, Skype first tried to connect outbound through multiple high numbered ports. It failed. Under the Proxy config, Skype fell back to opening HTTPS/SSL on 443 to the proxy port on TMG (8080)... That worked, but call quality was consistently worse. As SecureNET client, Skype eventually dropped to HTTPS/SSL and basically ended up being approved by the same HTTPS rule (on TMG) as under the Proxy config... I did not try running with TMG client installed (aka FWC). Also, I do not have HTTPS inspection enabled in our environment. Since you do, that obviously may make a difference... Did you try disabling HTTPS inspection? HTH. Joe P -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Friday, April 16, 2010 10:48 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Skype not working over TMG 2010 Standard http://www.ISAserver.org ------------------------------------------------------- Sounds great. I'm not putting it in production yet, so Monday will be fine! Thanks, Rob -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Pochedley Sent: Friday, April 16, 2010 10:37 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Skype not working over TMG 2010 Standard http://www.ISAserver.org ------------------------------------------------------- If you don't mind wating until Monday, I can check... I'm out of the office today... Previously we were running Skype over ISA... IIRC, it was simply auto-detecting the proxy (can't remember if it was using wpad, or just grabbing the IE system settings...) It was working without issue and without opening all the high numbered ports. It was just plowing through on 80 & 443 (from hazy memory of packet traces and ISA logs). I only tested skype with one call on TMG (it's not business critical for us), but it worked OK... None of our users have complained yet and TMG's been in production for a week. :) JP ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill [bemayo@xxxxxxxxxxxxxxxx] Sent: Friday, April 16, 2010 9:59 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Skype not working over TMG 2010 Standard We don't have people using Skype, so I don't know what is required. What I can comment on is the part about the Firewall Client (in the context of ISA 2006). For Windows clients, the Firewall Client is the only way to provide user authenticated access to protocols other than http/ftp, so that is where the decision comes in. The Firewall Client hooks into the networking functions of Windows and directs requests as necessary to ISA, transparent to the application. If you want to provide access to something other than http/ftp (which is handled by the web proxy) you are going to have to decide between the Firewall Client and SecureNAT (it sounds like you have been doing the latter). I don't know of any reason why you couldn't do the same thing described below without the Firewall Client, but I don't know for sure. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Friday, April 16, 2010 9:44 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Skype not working over TMG 2010 Standard No answers or thoughts at all? No one else has run into this problem? Found the right way to solve it? Nothing? Maybe the list has just been dead for the last 24 hours. :) It's kind of a deal breaker for me, because we use Skype in our business a lot (we are a non-profit with offices all over the world and Skype saves us a LOT of money on phone calling). I've got to get it going or I'll have to stick with ISA 2006. I've actually started contemplating using TMG 2010 to publish our servers and sticking with ISA 2006 or some other solution for user access to the Internet. Obviously not ideal. Thanks for any input or thoughts you might have. Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Thursday, April 15, 2010 1:52 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Skype not working over TMG 2010 Standard I'm in the early stages of transitioning from ISA 2006 Standard to TMG 2010 Standard. I've re-created most of my rules (except for most of the server publishing rules). I've got my computer using the TMG firewall, so I can troubleshoot problems. I'm still working through Jim's book and solving various problems as they come up. (I was able to fix a certificate problem that was making HTTPS inspection fail when connecting to Gmail.) My latest problem is Skype. It worked fine via ISA with no special rules. Skype is not connecting through TMG, though. Monitoring on TMG, I get a lot of errors where my computer is trying to connect over funky high-numbered UDP ports. The errors look like this: Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method Filter Information MIME Type Object Source Cache Information Error Information Source Port Session Type Bidirectional Network Interface Raw IP Header Raw Payload Processing Time Bytes Sent Bytes Received Original Client IP GMT Log Time Authentication Server UAG Array Id UAG Version UAG Module Id UAG Id UAG Severity UAG Type UAG Event Name UAG Session Id UAG Trunk Name UAG Service Name UAG Error Code Internal Service Info Log Field Client Application SHA1 Hash Client Application Trust State Client Application Internal Name Client Application Product Name Client Application Product Version Client Application File Version Client Application Original File Name Client FQDN URL Categorization Reason Forefront TMG Client Version URL Destination Host Name Log Time Client IP Destination IP Destination Port Protocol Action NIS Scan Result NIS Signature NIS Application Protocol Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name URL Category Log Record Type Malware Inspection Action Malware Inspection Result Threat Name Threat Level Content Delivery Method Malware Inspection Duration (msec) NAT Address Client Application Path - UDP - - - 0x0 0x0 24012 0 0 0 172.17.201.128 4/14/2010 6:28:51 PM - - 0 - 0 - - - - - - 0 0 - 4/14/2010 2:28:51 PM 172.17.201.128 128.46.185.36 37373 Unidentified IP Traffic (UDP:37373) Denied Connection Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED Internal External - PHL-TMG1 - Firewall - 0 - On the Skype website they say you should just open all TCP and UDP outbound ports. That doesn't seem secure! They also say that Skype uses ports 443 and 80, but does not use HTTPS or HTTP over those ports. I've done a lot of Googling and haven't found much help. I did find one discussion on the ISAserver.org forums. The poster says he's found the solution. The discussion ended with this post: 1. First of all, I want my TMG to check HTTPS => HTTPS Inspection=On 2. Create protocol that open outbound traffic =>TCP(outbound)=1-65535 =>UDP(send receive)=1-65535 3. Create firewall rule for this protocol from Internal To Internet network 4. Install Forefront TMG Client (it's part of installation files) on local computer, and allow its support on TMG server. 5. To restrict skype from using other rules (holes in other rules), add its signature which will prevent such behavior. 6. Try to connect to skype network. Is this what we've got to do? Open up all TCP outbound ports? Also, we've been using ISA for several years, and so far (except for messing about with it a little at the beginning) I've never installed the Firewall Client. I don't remember what brought me to that decision, but there was a reason for it way back when. I can revisit that if necessary. (Also, FWIW, we have a few Mac clients on our network.) We use Skype quite a bit to save money on phone calls. What do I need to do to get it going? I'm hoping there's an easy, or at least straightforward, fix. Thanks, Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Helpdesk: 800-500-AFSC ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx