Blocking external Skype client authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Blocking external Skype client authentication

Cyber Elite
Cyber Elite

Hello,

We are looking to block our skype clients from authenticating to our on prem servers. We nee the ability to have external parties join our web skype conferences. Anyone know what ports to block to prevent the Skype client from authenticating? I've been looking and looks like my client connects over 443/ssl but that needs to stay open for the web conferences, etc.

 

Thanks in advance!

2 REPLIES 2

Cyber Elite
Cyber Elite

@OtakarKlier,

So you can actually turn this off in the Skype for Business side instead of the firewall side and prevent a user from using the Skype for Business client and SfB phone applications.  Since SfB authenticates over 443 and you can't decrypt the vast majority of this traffic without breaking things I'm not sure how well doing this from the firewall side of things would actually work.

 

External Access Policy:

- Set your EnableOutsideAccess to False

This policy setting will restrict the users ability to authenticate to your Edge servers unless they are internal to your network via any of the SfB desktop clients. 

 

Mobility Policy:

- Set EnableOutsideVoice to False

This will disable the ability for users to utilize Call via Work. 

- Set EnableMobility to False

This disables the ability to sign into Skype for Business Mobile (All of the SfB mobile app clients) 

 

That should be all you need to disable on the SfB side of things to actually deny the client any usable form of external access. They would still be able to join conferences externally via the SfB web app the same way I'm sure your external parties are joining your conferences today, but they wouldn't be able to sign into the SfB client applications or the SfB mobile applications to do so. 

Thanks @BPry ,

Forgot to mention that we need to leave a few externally whitelisted IP's open. I'm not thinking this is possible. Maybe someone out there has done this?

 

Cheers!

  • 1574 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!