Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » How To Block Skype In KWF Please Help
  •  
PRETORIAN

Messages: 36
Karma: 0
Send a private message to this user
Dear Friends help me how to block skype in KWF. I go mad....
what to do.
If anyone have blocked it please send me the instruction of policy...

Thanks in advanced
With BEst Wishes
  •  
Anonymous
Karma:
Pretorian,

From what i understand, blocking ports Skype uses will cause Skype to utilize common ports. Such as port 80 or 443.

Skype needs unrestricted outgoing TCP access to all destination ports above 1024 or to ports 80 and 443, "To Function Correctly"
Blocking of any of these two pairs will REDUCE quality when Utilizing Skype but from what I read you would need to essentially block 1024-65535 AND 80 and 443

Are you noticing any adverse effects in regard to Skype specifically?

Best Regards,
Grant Gundersen
Kerio Technologies
First Level Support
  •  
PRETORIAN

Messages: 36
Karma: 0
Send a private message to this user
I work at an office, i manage about 150 computers and 4 servers. My Boss wants me to block skype for working hours.
I blocked other kind of chat services as ICQ, MSN, IRC, but, i couldn't block skype, whan i'm closing the above mentioned ports then errors are occured for accessing the some kind of web resources.....

Please Send me a rule or police if anyone have made for blocking skype....

With Best Wishes
  •  
Anonymous
Karma:

Well that was what I was getting at, i wasn't all to clear though. The way Skype will fall back on port 80 and 443 makes it just about impossible to block without tampering with regular web services.

Skype utilizes a port, configurable in the options of the chat console. To be clear, definately dont block 80 and 443.

I downloaded Skype to try and play with it and look at the configurable options. My sign in is blocked and it looks like its the p2p eliminator.

Click on advanced options and set P2P eliminator to block traffic except the predefined services.

Click services and you will get a 2 pane window. Available services on the left and selected services on the right. Highlight the services on the left you want to permit. Anything you know you need because this filter will knock out standard services. So move the services you need to the right pane. Things like:
DNS, FTP, HTTP, HTTPS, IMAP, IMAPS, Kerio VPN, KWF Admin, NNTP, NNTPS, NTP, PING, POP3, POP3S, SMTP and WebAdmin.

Try that and try and login to Skype Chat and it should be blocked for sign in.
  •  
PRETORIAN

Messages: 36
Karma: 0
Send a private message to this user
Hello
Thank you for your answer, but it doesn't work
I did everything as you mentined above........ and then tryied to log. Login process was much longer, but skype logged sucessfully Sad

Why doesn't kerio do something for blocking skype!

Now we network administrators have a problem in our offices...

Sad
  •  
winkelman

Messages: 2119
Karma: 3
Send a private message to this user
PRETORIAN wrote on Wed, 25 April 2007 18:17

Now we network administrators have a problem in our offices...

If it's a company policy to prohibit Skype, then you shouldn't need firewall to enforce it. You could of course simply remove Skype from the PC's and tell people they should not install it again or they'd loose their internet/computer/job/raise/whatever...
  •  
Anonymous
Karma:

Yeah, my Skype is logging in as well.
I'm scouring the Net and there are a lot of Help topics regarding this issue.

read this excerpt from http://www.voipcentral.org/entry/how-to-block-skype-on-a-cor porate-network/

Regarding Blocking Port 443

|.... blocking SSL or the ‘Connect’ method, means blocking access to all legitimate websites that use SSL (Hotmail, Yahoo, E-banking, E-commerce websites, e.g any website that is secured by SSL). Should you go down that road, you would have to explicitly allow all permitted destinations (an ongoing technical nightmare).|

So you could create URL rules that allow specific web sites that require SSL, but that would be very difficult. Again the problem is that Skype is going to use a configurable Port + Port 80 & 443, here in lies the Vulnerability and problem.

Interesting, are the Help Topics on Skype.com. They provide instructions for using Skype on a Secured Network. How to create firewall rules allowing port 80 and 443 traffic? Rolling Eyes

  •  
fion

Messages: 6
Karma: 0
Send a private message to this user
kerio_ggundersen wrote on Wed, 25 April 2007 00:14


Well that was what I was getting at, i wasn't all to clear though. The way Skype will fall back on port 80 and 443 makes it just about impossible to block without tampering with regular web services.

Skype utilizes a port, configurable in the options of the chat console. To be clear, definately dont block 80 and 443.

I downloaded Skype to try and play with it and look at the configurable options. My sign in is blocked and it looks like its the p2p eliminator.

Click on advanced options and set P2P eliminator to block traffic except the predefined services.

Click services and you will get a 2 pane window. Available services on the left and selected services on the right. Highlight the services on the left you want to permit. Anything you know you need because this filter will knock out standard services. So move the services you need to the right pane. Things like:
DNS, FTP, HTTP, HTTPS, IMAP, IMAPS, Kerio VPN, KWF Admin, NNTP, NNTPS, NTP, PING, POP3, POP3S, SMTP and WebAdmin.

Try that and try and login to Skype Chat and it should be blocked for sign in.


hi, if i wanna to block say only A user (1 user) can i use traffic policy? what should i set for its destination and service? thanks in advance.

fion
  •  
an2ny79

Messages: 109
Karma: 2
Send a private message to this user
As far as I know, there's no way (for now) to block Skype.. As what kerio_ggundersen said, they are using common ports (http / https / telnet) which when you try to block, you will block other legit sites or services.

What I did before was this...

I set a traffic rule to block all address HTTPS used by Skype. I thought Im doing it good, but not for long (I gathered around 300+ addresses)... Skype is not using central or dedicated server for authentication that you could block (unlike YM and MSN).. They are using client's computer as server as well..

I think, the only thing you could do is restrict blockable skype's ports. Leave HTTP and HTTPS, with this you will save lots and lots of bandwidth.

[Updated on: Wed, 17 October 2007 17:43]

  •  
sanjshah68

Messages: 43
Karma: 0
Send a private message to this user
hi,
how abt giving nat acces to particular group only & rest has to access via proxy. i think skype works because of nating. we had a similar prob with google talk. we gave acces of internet using Nat to few people only. rest uses proxy in that way we were able to control goole talk,

sanjay
  •  
FRiC

Messages: 56
Karma: 0
Send a private message to this user
Like others have already said, you can't block Skype by blocking ports, since Skype will fall back to port 80.

You could try blocking IP addresses and only allow text URL's.

Or you could try one of those expensive routers that specifically can block Skype. I heard that Verso has such a product and it's what they use to block Skype in China, but then again I have no problems whatsoever using Skype in China...

  •  
martinw

Messages: 10
Karma: -2
Send a private message to this user
Hello,

Always, always grant access to internet via a proxy server. Mostly for security resonse.

This request calls for a aplication layer block instead of IP-block. Other method is a Packetshaper which also blocks the appplication.

Kerio 7.1.0 on SBS2003
Previous Topic: wierd question
Next Topic: SINGLE NIC Configuration
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 12:14:44 CET 2017

Total time taken to generate the page: 0.00475 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.