1

How can I allow Skype to function correctly with restricted outbound ports, HTTPS inspection and the IE proxy enabled? All the documentation I've come across suggest disabling at least one of these features.

Ideally it should be as simple as setting the proxy in Skype to the forefront server at port 8080 but their use of self signed certificates renders this impossible due to the administrative overhead of constantly adding new destination and source HTTPS inspection exclusions.

What I really hope to achieve is allowing all traffic out for Skype and Skype alone.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113

1 Answers1

1

In the end I opted for a method to allow all traffic out from the Skype executable but not from anything else. Since Forefront cannot reliably determine the executable that is being executed under I opted to create a rule that allows all traffic outbound for a specific user / user group and force Skype to execute under that user / group. The following AutoIT script provides the necessary functions to do so reliably.

#include <Crypt.au3>
; #RequireAdmin ; only for setting the password

Func SetEncrypted($vPassword,$Field)
_Crypt_Startup()
$path="HKLM\Software\MyORG\Skype"
$Key=_Crypt_DeriveKey($vPassword, $CALG_AES_256 )
$FieldValue=InputBox($Field,"")
$output=_Crypt_EncryptData($FieldValue,$Key,$CALG_USERKEY)
RegWrite($path,$Field,"REG_SZ",$output)
_Crypt_DestroyKey($Key)
_Crypt_Shutdown()
EndFunc

Func GetEncrypted($vPassword,$Field)
_Crypt_Startup()
$path="HKLM\Software\MyORG\Skype"
$Key=_Crypt_DeriveKey($vPassword, $CALG_AES_256 )
$input=RegRead($path,$Field)
$decrypted=_Crypt_DecryptData($input,$Key,$CALG_USERKEY)
$decrypted=BinaryToString($decrypted)
_Crypt_DestroyKey($Key)
_Crypt_Shutdown()
Return $decrypted
EndFunc

$EncryptionPassword="super password which will be buried in the exe itself, set this yourself "
;SetEncrypted($EncryptionPassword,"Domain")
;SetEncrypted($EncryptionPassword,"User")
;SetEncrypted($EncryptionPassword,"Password")

$User=GetEncrypted($EncryptionPassword,"User")
$Pass=GetEncrypted($EncryptionPassword,"Password")
$Domain=GetEncrypted($EncryptionPassword,"Domain")

; Find the executable name.
$Skype = RegRead("HKLM\SOFTWARE\Skype\Phone", "SkypePath") 
If( $Skype = "" ) Then
    ; 64 bit support
    $Skype= RegRead("HKLM\SOFTWARE\Wow6432Node\Skype\Phone", "SkypePath")
EndIf
MsgBox(0,"",$Skype)

; Run Skype under alternate credentials. 
RunAs($User,$Domain,$Pass, 4, $Skype, @SystemDir )

By storing the ID and password in the registry it makes it very easy to do a password update for the account(s) associated with the alternate credentials - a GPP registry item does the trick.

EDIT - The outbound rule that utilizes authentication for all outbound traffic must be at the very bottom of the priority list, directly above the default rule. If this is not done any non authenticated traffic from the inside out (such as email to outside parties) will be killed off.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113