Hi all,
I titled the debate Skype vs TMG because I know this is a struggle of nearly a decade.
Well,
now that MS bought Skype and I hope they can modify the protocol so it can be more manageable at the enterprise level, I'm sure they knowthat Skype is a tool used massively in Latin American companies to reduce telephony costs, and certainly inthe world.
Now I think I'm behind this issue since ISA Server 2004, has always
been a nightmare to allow or deny Skype, first instance because it is a P2P software.I took a log of a Skype connection attempt
and the results are frightening, Skype tries to connect using TCP and UDP random ports and destination IPs are also random, there are no URLs, just IPs. So, the only way to allow Skype (with HTTPS-enabled Inspection) is to follow these steps:
1. First of all, I want my TMG to check HTTPS => HTTPS Inspection = On
2. That protocol Create outbound traffic open
=> TCP (outbound) = 1-65535
=> UDP (send receive) = 1-65535
3. Create firewall rule For This protocol from Internal network to Internet
4. Install Forefront TMG Client (it's part of installation files) on local computer, and allow
ITS support on TMG server.
5. To restrict skype from using other rules (holes in other rules),add signature Which Will Prevent STIs Such Behavior.
6. Try to connect to skype network.
Okay, Skype works, it connects, excellent! And I can use the signatureon the other rules to not allow Skype, great!
Now,
we have a rule that essentially allows traffic of any software using any TCP or UDP port to internet, giant security hole, because the signature is used in the other rules for Skype not pass through them,but not in the Skype rule to only allow Skype traffic.
The
navigation is still controlled by the other rules and application layer inspection of traffic, however, when using any software (other than a browser with the proxy configured), using any TCP or UDP port, it hasabsolute freedom.
TMG can use signatures to block traffic, but not to allow traffic. I cannot find a way to include in this rule something
like:
Allow TCP and UDP (any port) toonlytrafficwith this signature.
I do not see this possibility.
Nor I see the possibility of creating a rule like:
Allow traffic from the "client application path"C:\Program Files\Skype\Phone\Skype.exe only
or
Allow traffic from the "Client Agent" Skype.exe: 3:6.1 only
Can anyone help me close this security hole?
There are several conditions that must be met:
- Skype must work
- I must be able to select which users have access to Skype, and wich users do not.
- I must optimize security and allow Skype, only Skype.
- HTTPS Inspection must be enabled
My infrastructure?
- TMG 2010 Standard
- W2K8 Standard R2
- TMG is not our gateway, only our proxy, and only we use it for navigation control and "outbound" connections (we might use some other features in the future)
- All users have the TMG client installed
If someone wants the log I took I will gladly send it to your mail.
I hope someone can help, not just for me, believe me, there are thousands of IT Pros (though clearly I’m not a TMG Gurú) looking for information on this topic.
Thanks a lot.
goDog