Blocking Skype and other IM protocols in Forefront TMG
It has never been easier to block instant messaging (IM) with Forefront Threat Management Gateway (TMG). If you’ve read my article that I wrote a couple of years ago on how to block IM protocols on ISA Server, you’ll definitely appreciate the ease with which you can do the same stuff more effectively with TMG.
In this post, I show you how you can block Skype, Google Talk, Yahoo Messenger, Live Messenger, etc using Forefront TMG 2010.
Before I go in to the step-by-step procedure, I want to highlight what’s happening in the background.
- Microsoft Forefront TMG 2010 now comes with URL Filtering. URL filtering enables you to block web content belonging to a particular category such as Chat, Social Networking, or Pornography.
- Another new feature in TMG 2010 is Outbound HTTPS inspection. This allows all HTTPS user traffic to be inspected by TMG
These are the two new features that we will leverage to block chat. Here is a summary of what we will do:
- The only allowed traffic on your TMG server is regular web traffic (HTTP and HTTPS). I am against creating “generic” rules like “allow all” from internal to external when you have SecureNAT clients in your network as this defeats the purpose of filtering.
- Turn on HTTPS inspection. Read my earlier post if you need help enabling HTTPS inspection.
- In a “Deny” rule on your Web Access Policy, add the “Chat” URL category.
Why do you need HTTPS inspection?
Many IM clients and software like Skype, try to connect using dynamic UDP ports and eventually fail back using HTTPS. With HTTPS inspection turned on, TMG will be able to inspect inside HTTPS to see if the software is trying to request access from a blocked URL.
1. In the Forefront TMG console, locate your Web Access Policy that denies traffic. If you do not have one, right click on Web Access Policy in the left pane and choose Configure Web Access Policy.
2. Click on the “To” tab. Click the Add button.
3. Expand URL Categories. Add the “Chat” URL category to the list.
4. Click OK and Apply your changes. Wait for the changes to synchronize (Tip: you can verify this under Monitoring > Configuration)
Now for the best part: try connecting to Skype, or any of your favorite instant messaging software. Note that the web versions of these messengers are also blocked! 
On a closing note – you can use the same technique to block P2P (peer-to-peer) and file sharing applications like eMule, Kazaa, eDonkey, BitTorrent, etc using TMG. In step 3, choose “P2P/File sharing” URL category.
Enjoy.
Shijaz Abdulla is a Partner Technology Advisor at Microsoft, helping their top tier partners build on their Microsoft practice. He is also a trusted advisor to medium enterprise customers in Qatar. He is a blogger, tech enthusiast, and a Microsoft evangelist.
Interesting reading: Blocking Skype and other IM protocols in Forefront TMG http://bit.ly/aplUhI
Pingback: TMG or UAG? Which one do I need? | microsoftNOW
Great Post,
Thanks for it
You’re welcome, Haytham!
So how about the reverse. I need to allow Skype, Messenger and Gmail’s IMAP and SMTP. How can one allows these?
Hi Don,
What kind of clients are they – Web proxy, secureNAT or Firewall Client?
Shijaz
Pingback: Pour protéger Exchange: TMG ou UAG, lequel choisir? « Blog des consultants du Permis Informatique
Hi, great article, love the ability to block TORRENTS.
I have an outlook client (2007) which uses IMAP and SMTP, both are being blocked by TMG 2010.
How do I enable these protocols?
do you have the link for your former article on isa server, i want to check it out, im having problems bloking skype trough isa 2006 EE
Thanks in advance,
JR
Hello!
I am trying to apply your solution, but I have some doubts, please help me!
I´ve created one rule as you show, so It says:
Block Web Destinations Deny HTTP&HTTPS Internal Chat (Category) All Users
My next rule is:
Irrestrict Access (HTTP&HTTPS) Allow HTTP&HTTPS Internal External Win_Group_IT
I have some managers that must have HTTP&HTTPS irrestricted web access, but I do not want to allow them to connect to IMs.
When I disable the second rule, I can block IM without any problems, but when I enable it, even blocking Chat Category, it is allowing IM conenctions.
Can you help me please?
Many thanks in advance!
Hi,
I am trying to block yahoo messengers, msn messngers and all other messengers but allow skype. I am using forefront TMG 2010. Please suggest me some ways. Also I want to be able to allow all the IMS to so users too.
Is it possible to do this without enable HTTPS inspection feature?
HTTPS inspection allows TMG to look at traffic inside the HTTPS tunnel and therefore its required if the application tries to establish a connection over HTTPS.
somehow it seems that even by just enabling HTTPS inspection, Skype still gets blocked without creating any particular rules. Is there a way around it ? Can I access skype but leave HTTPS inspection enabled ?
Thanks
I try this solution today.
MSN can block OK but Skype still can login.
My TMG is SP1 Update1.
Hi great
me too a have the same problem like Rohit , and i would like to block Facebok too but allow Skype in TMG 2010
i’m bolcked
tx
Your guidlines work well for me. Now what about Facebook and Twitter. My boss wants them restricted serverly with only authorised exceptions. Same for other Social Network sites.
Hi Shijaz ,
Good Article published by you.
URL Filtering is new & good feature in TMG 2010. but we should pay additional cost for URL Filtering . Else within 90 days it will be expire.
Without using URL Filtering we can block Yahoo Messenger , Live messenger targeting with their Particular URLs & PORTs.
Can you advise us that how can we block Skype like other IM.
Regards,
COMDINI
Apparently some companies still want to block Skype and IM chats. If you need to, @microsoftNOW shows how -> http://bit.ly/kAwInY #TMG
Hi please help me to allow Skype only for 2 users in my lan network … thanx
Hi Tahir
Follow the steps to block skype and create an ‘exception’ for the two users under that same rule.
Hi Shijaz,
Now we successfuly implemented FTMG 2010, we deploy TMG client to users machine. everything seems well but some user needs to have yahoo messenger (.yahoo webmessenger) on their computer. How to enable this in TMG
If https inspection is required to block IM apps., then TMG fW client should be installed in client machines.
Can’t be done without Firewall client deployment ?
We are using TMG 2010 , however we noticed that TMG is allowing Skype 5.5. Is there any work around for this.? Also TMG is not allowing to add any other skype contacts if Chat is disabled. But Skype can login and make calls.
can i block all chat s/w except skype using TMG ? if yes then how ?
Great post.
I have one doubt: how I can prevent users navigate using ip numbers?
this procedure only works using the urls.
Thanks
Dears,
i have Microsoft ISA 2006 and i want to allow proxy users to use skype. Could you please tell me the steps on how to create an access rule?
Appreciate it a lot!
Wooo !!!! so nice
Thanks
My situation is them same. I want to block all IM but Skype. We need skype for business. How do I deploy in TMG 2010.
Thanks,
Hieu
Can i block only a video conferencing call
Aslam 3lykom brother
Dear i already Configured Web Access Policy do i need to configure a new one or update that on i configured
Thanks a lot