[isalist] Re: Skype not working over TMG 2010 Standard
- From: Joe Pochedley <Joe.Pochedley@xxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 19 Apr 2010 15:00:21 -0400
http://www.ISAserver.org
-------------------------------------------------------
Rob,
In our environment, Skype works over TMG...
First I tried running Skype as a proxy client (with proxy authentication
configured within the Skype client). Call quality was fair, there were some
dropouts, but it worked... I configured Skype both manually and with its
"Automatic proxy detection" settings. Worked fine with either, so long as I
had valid credentials filled in under Connection > Enable Proxy Authentication
in Skype. (We have WPAD configured, so I presume Skype is pulling the proxy
config from WPAD, but I didn't confirm.....)
Then I tried running Skype as a SecureNET client. (I have different IP ranges
for which clients are allowed to pass SecureNET, so it's pretty easy to force
the issue one way or the other....) Call quality was noticeably better as
SecureNET and the time to Skype was ready to make a call was noticeably faster.
In all cases, on startup, Skype first tried to connect outbound through
multiple high numbered ports. It failed. Under the Proxy config, Skype fell
back to opening HTTPS/SSL on 443 to the proxy port on TMG (8080)... That
worked, but call quality was consistently worse. As SecureNET client, Skype
eventually dropped to HTTPS/SSL and basically ended up being approved by the
same HTTPS rule (on TMG) as under the Proxy config...
I did not try running with TMG client installed (aka FWC). Also, I do not have
HTTPS inspection enabled in our environment. Since you do, that obviously may
make a difference... Did you try disabling HTTPS inspection?
HTH.
Joe P
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Rob Moore
Sent: Friday, April 16, 2010 10:48 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Skype not working over TMG 2010 Standard
http://www.ISAserver.org
-------------------------------------------------------
Sounds great. I'm not putting it in production yet, so Monday will be fine!
Thanks,
Rob
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Joe Pochedley
Sent: Friday, April 16, 2010 10:37 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Skype not working over TMG 2010 Standard
http://www.ISAserver.org
-------------------------------------------------------
If you don't mind wating until Monday, I can check... I'm out of the office
today...
Previously we were running Skype over ISA... IIRC, it was simply
auto-detecting the proxy (can't remember if it was using wpad, or just grabbing
the IE system settings...) It was working without issue and without opening
all the high numbered ports. It was just plowing through on 80 & 443 (from
hazy memory of packet traces and ISA logs).
I only tested skype with one call on TMG (it's not business critical for us),
but it worked OK... None of our users have complained yet and TMG's been in
production for a week. :)
JP
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of
Mayo, Bill [bemayo@xxxxxxxxxxxxxxxx]
Sent: Friday, April 16, 2010 9:59 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Skype not working over TMG 2010 Standard
We don't have people using Skype, so I don't know what is required. What I can
comment on is the part about the Firewall Client (in the context of ISA 2006).
For Windows clients, the Firewall Client is the only way to provide user
authenticated access to protocols other than http/ftp, so that is where the
decision comes in. The Firewall Client hooks into the networking functions of
Windows and directs requests as necessary to ISA, transparent to the
application. If you want to provide access to something other than http/ftp
(which is handled by the web proxy) you are going to have to decide between the
Firewall Client and SecureNAT (it sounds like you have been doing the latter).
I don't know of any reason why you couldn't do the same thing described below
without the Firewall Client, but I don't know for sure.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Rob Moore
Sent: Friday, April 16, 2010 9:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Skype not working over TMG 2010 Standard
No answers or thoughts at all? No one else has run into this problem? Found the
right way to solve it? Nothing? Maybe the list has just been dead for the last
24 hours. :)
It's kind of a deal breaker for me, because we use Skype in our business a lot
(we are a non-profit with offices all over the world and Skype saves us a LOT
of money on phone calling). I've got to get it going or I'll have to stick with
ISA 2006. I've actually started contemplating using TMG 2010 to publish our
servers and sticking with ISA 2006 or some other solution for user access to
the Internet. Obviously not ideal.
Thanks for any input or thoughts you might have.
Rob
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Rob Moore
Sent: Thursday, April 15, 2010 1:52 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Skype not working over TMG 2010 Standard
I'm in the early stages of transitioning from ISA 2006 Standard to TMG 2010
Standard. I've re-created most of my rules (except for most of the server
publishing rules). I've got my computer using the TMG firewall, so I can
troubleshoot problems. I'm still working through Jim's book and solving various
problems as they come up. (I was able to fix a certificate problem that was
making HTTPS inspection fail when connecting to Gmail.)
My latest problem is Skype. It worked fine via ISA with no special rules. Skype
is not connecting through TMG, though. Monitoring on TMG, I get a lot of errors
where my computer is trying to connect over funky high-numbered UDP ports. The
errors look like this:
Client Agent Authenticated Client Service Referring Server
Destination Host Name Transport HTTP Method Filter
Information MIME Type Object Source Cache Information
Error Information Source Port Session Type
Bidirectional Network Interface Raw IP Header Raw Payload
Processing Time Bytes Sent Bytes Received Original Client IP
GMT Log Time Authentication Server UAG Array Id UAG
Version UAG Module Id UAG Id UAG Severity UAG Type
UAG Event Name UAG Session Id UAG Trunk Name
UAG Service Name UAG Error Code Internal Service Info
Log Field Client Application SHA1 Hash Client Application
Trust State Client Application Internal Name Client
Application Product Name Client Application Product Version
Client Application File Version Client Application Original File Name
Client FQDN URL Categorization Reason Forefront TMG Client
Version URL Destination Host Name Log Time Client IP
Destination IP Destination Port Protocol
Action NIS Scan Result NIS Signature NIS Application Protocol
Rule Result Code HTTP Status Code Client
Username Source Network Destination Network
URL Server Name URL Category Log Record Type
Malware Inspection Action Malware Inspection Result Threat
Name Threat Level Content Delivery Method Malware
Inspection Duration (msec) NAT Address Client Application Path
-
UDP - - - 0x0
0x0 24012
0 0 0
172.17.201.128 4/14/2010 6:28:51 PM - - 0
- 0 - - -
- - - 0 0
-
4/14/2010 2:28:51 PM 172.17.201.128 128.46.185.36 37373
Unidentified IP Traffic (UDP:37373) Denied Connection
Default rule 0xc004000d
FWX_E_POLICY_RULES_DENIED
Internal External - PHL-TMG1
- Firewall -
0 -
On the Skype website they say you should just open all TCP and UDP outbound
ports. That doesn't seem secure! They also say that Skype uses ports 443 and
80, but does not use HTTPS or HTTP over those ports.
I've done a lot of Googling and haven't found much help. I did find one
discussion on the ISAserver.org forums. The poster says he's found the
solution. The discussion ended with this post:
1. First of all, I want my TMG to check HTTPS => HTTPS Inspection=On
2. Create protocol that open outbound traffic
=>TCP(outbound)=1-65535
=>UDP(send receive)=1-65535
3. Create firewall rule for this protocol from Internal To Internet network
4. Install Forefront TMG Client (it's part of installation files) on local
computer, and allow its support on TMG server.
5. To restrict skype from using other rules (holes in other rules), add its
signature which will prevent such behavior.
6. Try to connect to skype network.
Is this what we've got to do? Open up all TCP outbound ports? Also, we've been
using ISA for several years, and so far (except for messing about with it a
little at the beginning) I've never installed the Firewall Client. I don't
remember what brought me to that decision, but there was a reason for it way
back when. I can revisit that if necessary. (Also, FWIW, we have a few Mac
clients on our network.)
We use Skype quite a bit to save money on phone calls. What do I need to do to
get it going? I'm hoping there's an easy, or at least straightforward, fix.
Thanks,
Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Helpdesk: 800-500-AFSC
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
