Skype and ISA

This time, I wanted to block/permit Skype (2.0.0.97) messenger using ISA. There is a good discussion about allowing Skype from ISA Server on www.isaserver.org discussion lists. According to Skype Technical FAQ, The minimum requirement is that Skype needs unrestricted outgoing TCP access to all destination ports above 1024 or to ports 80 and 443 (the former is better, however).


If you don’t allow either of those, Skype will not work reliably at all. Now, even if you open these ports, skype will not work if you authentication enabled on outgoing ISA web proxy requests. Actually, the fact is Skype does not support authenticating proxies or authenticating firewalls.


Following is an excerpt / snippet of ISA Web Proxy log which tells the story. As you can see, the request fails with HTTP Status Code 407 which means Proxy Authentication Required and eventually if fails to connect.


Source IP, anonymous, -, N, 3/21/2006, 9:45:48, w3proxy, PROXY-MN, -, 69.204.225.214, -, 443, 0, 39, 2722, SSL-tunnel, -, CONNECT, -, -, -, 407, -, -, –
Source IP, anonymous, -, N, 3/21/2006, 9:45:48, w3proxy, PROXY-MN, -, 69.204.225.214, -, 443, 0, 108, 2722, SSL-tunnel, -, CONNECT, -, -, -, 407, -, -, –

So, if you want to open ports for Skype or allow Skype from ISA then you might want to disable authentication on outgoing ISA web proxy requests. That’s the only way it works :-(.


PROCEDURE:


1. Open the ISA Management console. Right click on your server name and click the Properties command.
2. In the server’s Properties dialog box, click on the Outgoing Web Requests tab.
3. On the Outgoing Web Requests tab, remove the checkmark from the Ask unauthenticated users for identification checkbox.

Leave a Reply

Your email address will not be published. Required fields are marked *