Blocking Skype and other IM protocols in Forefront TMG

by Shijaz Abdulla on 13.06.2010 at 18:19

It has never been easier to block instant messaging (IM) with Forefront Threat Management Gateway (TMG). If you’ve read my article that I wrote a couple of years ago on how to block IM protocols on ISA Server, you’ll definitely appreciate the ease with which you can do the same stuff more effectively with TMG.

In this post, I show you how you can block Skype, Google Talk, Yahoo Messenger, Live Messenger, etc using Forefront TMG 2010.

Before I go in to the step-by-step procedure, I want to highlight what’s happening in the background.

  • Microsoft Forefront TMG 2010 now comes with URL Filtering. URL filtering enables you to block web content belonging to a particular category such as Chat, Social Networking, or Pornography.
  • Another new feature in TMG 2010 is Outbound HTTPS inspection. This allows all HTTPS user traffic to be inspected by TMG

These are the two new features that we will leverage to block chat. Here is a summary of what we will do:

  • The only allowed traffic on your TMG server is regular web traffic (HTTP and HTTPS). I am against creating “generic” rules like “allow all” from internal to external when you have SecureNAT clients in your network as this defeats the purpose of filtering.
  • Turn on HTTPS inspection. Read my earlier post if you need help enabling HTTPS inspection.
  • In a “Deny” rule on your Web Access Policy, add the “Chat” URL category.

Why do you need HTTPS inspection?

Many IM clients and software like Skype, try to connect using dynamic UDP ports and eventually fail back using HTTPS. With HTTPS inspection turned on, TMG will be able to inspect inside HTTPS to see if the software is trying to request access from a blocked URL.

 

1. In the Forefront TMG console, locate your Web Access Policy that denies traffic. If you do not have one, right click on Web Access Policy in the left pane and choose Configure Web Access Policy.

image

2. Click on the “To” tab. Click the Add button.

image

3. Expand URL Categories. Add the “Chat” URL category to the list.

image

 

4. Click OK and Apply your changes. Wait for the changes to synchronize (Tip: you can verify this under Monitoring > Configuration)

 

Now for the best part: try connecting to Skype, or any of your favorite instant messaging software. Note that the web versions of these messengers are also blocked! Smile

image 

image

image

image

 

image

image

 

On a closing note – you can use the same technique to block P2P (peer-to-peer) and file sharing applications like eMule, Kazaa, eDonkey, BitTorrent, etc using TMG. In step 3, choose “P2P/File sharing” URL category.

Enjoy.

Trackback Permanent Link

38 Responses to Blocking Skype and other IM protocols in Forefront TMG

  1. Louis Göhl says:

    Interesting reading: Blocking Skype and other IM protocols in Forefront TMG http://bit.ly/aplUhI

  2. Pingback: TMG or UAG? Which one do I need? | microsoftNOW

  3. Haytham Ghazy says:

    Great Post,

    Thanks for it

  4. Shijaz says:

    You’re welcome, Haytham! 🙂

  5. Don says:

    So how about the reverse. I need to allow Skype, Messenger and Gmail’s IMAP and SMTP. How can one allows these?

  6. Pingback: Pour protéger Exchange: TMG ou UAG, lequel choisir? « Blog des consultants du Permis Informatique

  7. Adman says:

    Hi, great article, love the ability to block TORRENTS.

    I have an outlook client (2007) which uses IMAP and SMTP, both are being blocked by TMG 2010.

    How do I enable these protocols?

  8. Javier Rosales says:

    do you have the link for your former article on isa server, i want to check it out, im having problems bloking skype trough isa 2006 EE

    Thanks in advance,

    JR

  9. Hello!

    I am trying to apply your solution, but I have some doubts, please help me!

    I´ve created one rule as you show, so It says:

    Block Web Destinations Deny HTTP&HTTPS Internal Chat (Category) All Users

    My next rule is:

    Irrestrict Access (HTTP&HTTPS) Allow HTTP&HTTPS Internal External Win_Group_IT
    I have some managers that must have HTTP&HTTPS irrestricted web access, but I do not want to allow them to connect to IMs.

    When I disable the second rule, I can block IM without any problems, but when I enable it, even blocking Chat Category, it is allowing IM conenctions.

    Can you help me please?

    Many thanks in advance!

  10. Rohit Sigdel says:

    Hi,
    I am trying to block yahoo messengers, msn messngers and all other messengers but allow skype. I am using forefront TMG 2010. Please suggest me some ways. Also I want to be able to allow all the IMS to so users too.

  11. Baruch Montoya says:

    Is it possible to do this without enable HTTPS inspection feature?

  12. George Ku says:

    I try this solution today.
    MSN can block OK but Skype still can login.
    My TMG is SP1 Update1.

  13. SAAD says:

    Hi great
    me too a have the same problem like Rohit , and i would like to block Facebok too but allow Skype in TMG 2010
    i’m bolcked 🙁
    tx

  14. Wayne Jenkins says:

    Your guidlines work well for me. Now what about Facebook and Twitter. My boss wants them restricted serverly with only authorised exceptions. Same for other Social Network sites.

  15. COMDINI says:

    Hi Shijaz ,

    Good Article published by you.
    URL Filtering is new & good feature in TMG 2010. but we should pay additional cost for URL Filtering . Else within 90 days it will be expire.
    Without using URL Filtering we can block Yahoo Messenger , Live messenger targeting with their Particular URLs & PORTs.
    Can you advise us that how can we block Skype like other IM.

    Regards,
    COMDINI

  16. Fastvue says:

    Apparently some companies still want to block Skype and IM chats. If you need to, @microsoftNOW shows how -> http://bit.ly/kAwInY #TMG

  17. Tahir says:

    Hi please help me to allow Skype only for 2 users in my lan network … thanx

  18. roger says:

    Hi Shijaz,
    Now we successfuly implemented FTMG 2010, we deploy TMG client to users machine. everything seems well but some user needs to have yahoo messenger (.yahoo webmessenger) on their computer. How to enable this in TMG

  19. Suliman says:

    If https inspection is required to block IM apps., then TMG fW client should be installed in client machines.

    Can’t be done without Firewall client deployment ?

  20. Dileepkumar says:

    We are using TMG 2010 , however we noticed that TMG is allowing Skype 5.5. Is there any work around for this.? Also TMG is not allowing to add any other skype contacts if Chat is disabled. But Skype can login and make calls.

  21. noman says:

    can i block all chat s/w except skype using TMG ? if yes then how ?

  22. kyanuj says:

    Great post.
    I have one doubt: how I can prevent users navigate using ip numbers?
    this procedure only works using the urls.
    Thanks

  23. zeru tesfaye says:

    Dears,
    i have Microsoft ISA 2006 and i want to allow proxy users to use skype. Could you please tell me the steps on how to create an access rule?

    Appreciate it a lot!

  24. Mehboob Yousafzai says:

    Wooo !!!! so nice

    Thanks

  25. Pham Hieu says:

    My situation is them same. I want to block all IM but Skype. We need skype for business. How do I deploy in TMG 2010.
    Thanks,
    Hieu

  26. Kaustubh says:

    Can i block only a video conferencing call

  27. MOHAMMED says:

    Aslam 3lykom brother

    Dear i already Configured Web Access Policy do i need to configure a new one or update that on i configured
    Thanks a lot

  28. suthuc says:

    Cannot block any IM applications with TMG SP1 and latest IM applications

  29. Mohmed says:

    Thx alot for this useful Info., But I need to block Skype throiugh ISA 2006

    Thanks in advance

  30. Richard Mutisya says:

    Blocking torrents still doesnt work…i even tried blocking some porn sites n they still opened even after including them to the url……
    Verdict Forefront tmg 2010# FAIL

  31. Haytham Embaby says:

    hi all, anybody can help in the following warring from TMG server as it stopped all the internal requests:

    Forefront TMG detected a possible SYN attack and will protect the network accordingly

  32. Maria says:

    great post……:)
    This was quite helpful

Leave a Reply