Hi,
If I allow 443 port to any destinations, It's works. But I don't wanna my users to access any HTTP site. I want only skype to work. Can you help-me ?

Thanks a lot.
Eduardo
Network Admin
Brazil

hi eduardo,

the default rule of the isaserver ist to deny everything,
so you have to permit the acces with rules...whatever the user wants to access to.
You have to make a https rule only to permit connections to site that only you have definied.
To denied the access of your users on port 443 you have to make a new rule, if you dont have one.
You can define also an alternativ port for skype, so that you dont need to permit connections on port 80...
it should work....

Simply make a new rule for skype-users.
Allow https, http or another port, in the same skype-rule first.
then you have to open the ports 1024 - 65xxxx for tcp and udp, because the client connects with an other port higher than 1024 everytime. Skype needs these port, otherwise wont work(443,80 or another port,1024 - end).
To do this, you have to define a new protocol-portrange while you are setting the rule.

If your are using an AD , you should make a new group for skype users ..something like " isa-skype " as Globalgroup.
Then you have to permit in the new skype-rule the acces to these new " isa-skype-group".

The only problem is that you allow connection to the higher ports....
If you do that, you have to check the security in your network first.

You have to change the connectionoptions of the clients,
so they can use skype with the isaserver => authentification at the isaserver as domain-user

Another posibility to make skype works in your network is using a " socks-proxy ".
That is another proxytype that you can use only for the skype-connection. . .
i didnt try it yet! I think you have to authenticate the skypeclients at this proxy only...

Hi drno,

But this don't help me, because people will have access to internet web.
I don't want people to use web, only skype.

I know very well ISA Server.

Thanks, by the way, for your help.

Hi Eduardo,

i now 3 posibilities for using skype in the network

ISA

1st-rule: the isa denies everything (default)
2nd-rule: one rule for https , where you can permit the websites they have access to (you deny here every https connection with the browser..not the skypeclient) <= ..you dont need these , if you deny everything by default.
3thd-rule: one rule for skype using https (443), http ( the port you define in the skypeclient for incoming connections), and another "protocol" using the ports higher then 1024 (<= here you have to do this while setting up the rule..making a new "protocoll" defining the portrange), allow a group or users access in the rule.

If you dont permit access to ports higher 1024 you need to look at each client which port is using to connect to, and exactly these ports you have to permit in the isa or firewall when connecting..for each user using skype... thats a lot of work!

I think the users dont gona be able to use http (80), because the browser needs the port 80 to connect to websites and you define an specific port for that. If you make a grouppolicy denying the modification of the browserconnections (proxy) or leaving it blank, they wont be able to connect to the internet too.
The skype client is gona have access thru the defined port for incoming connections, not the browser.
The user should be in a globalgroup that has acces to the isa-skype-rule(3thrd rule). The only thing you have to do is to authenticate the user in the skypeclient for the isaserver(username and password = domainusers login)

You can try the business-client too, maybe it helps

or Socksproxy

or Firewallclient from ISA ( i dont now how, but it works)

If i could not help you... sorry! i gave my best!!


best regards

drno

Hi, drno

I see that you are a expert on ISA, nice to met you.
Thanks for your support... thanks very much

When I said people don't don't have to navigate, it's because I don't wanna then have no controlate acess to internet. These people can access bank sites, microsoft sites, but only this. This is working today, and I wanna to add Skype to some users, but I cannot permit then to access other sites on internet.

Sorry by my english.

See ya.