Allowing Access to Skype Using Smoothwall Filter & Firewall

Summary

This article explains how to set up Guardian and the Firewall in order to get Skype working through your Smoothwall.

Problem

You would like to allow Skype on your network without opening all ports over 1024 (both TCP and UDP) as recommended by Skype’s official support documentation.

The Skype client is very aggressive when attempting to establish and maintain a connection which makes it very difficult to control without opening large holes in your web filter. The Skype application will:

  • Attempt to connect over any high (1024+) port (TCP and UDP)
  • (ab)use port 80 with non HTTP traffic
  • (ab)use port 443 with non HTTP traffic with an invalid certificate and no SNI header

Solution

In order for the Skype client to work correctly you will need to:

  • Open TCP port 33033 and UDP ports 3479, 3480 and 3481 on your Firewall
  • Whitelist the Skype category in Guardian.

Firewall (Inverness release or above)

If you are using the Inverness release or above:

  1. Go to Network > Firewall > Firewall rule.
  2. Create a rule that allows access to TCP port 33033 and UDP ports 3479, 3480 and 3481.
  3. Move this rule to be above any block rules you have in place.

For a detailed description of how to create a Firewall rule, go to our help topic Using the Smoothwall Firewall.

Firewall (Hearst release or earlier)

  1. Go to Network > Outgoing > Ports.
  2. Create a custom port rule to allow access to TCP port 33033 and UDP ports 3479, 3480 and 3481.
  3. Go to Network > Outgoing > Policies.
  4. Create an outgoing rule for the required groups or sources for the newly created group from step 2.

For a detailed description of how to use the above pages, go to our help topics Managing Outbound Traffic and Services and Working with Outbound Access Policies.

Guardian

  1. Go to Guardian > Web filter > Policy wizard.
  2. Set up a new policy as follows:
    • Who: Everyone*
    • What: Skype
    • Where: Everywhere*
    • When: Always*
    • Action: Whitelist
    • * Change as appropriate
  3. Save your new policy and once the page refreshes move it towards the top of your web filter policy table.
  4. Wait for your changes to take effect - it should take no longer than 5 minutes.