How to block Skype with Next Generation Firewall
- Article Number: 000010135
- Products: Next Generation Firewall (NGFW)
- Version: 6.1, 6.0, 5.9, 5.8, 5.7, 5.6, 5.5, 5.4, 5.3, 5.2, 5.10, 5.1, 5.0
- Last Published Date: August 22, 2017
I am using Next Generation Firewall (NGFW) and I want to block Skype for my company.
When you download Skype application, the executable file contains a list of IP addresses (Skype refers to these IP address as "super nodes" - Skype clients that have a public IP address) that the Skype application tries to connect to. The Skype application can automatically connect to a Skype peer-to-peer architecture through any open Transmission Control Protocol (TCP) port higher than 1024, or ports 80 and 443. If your company restricts outbound connections to ports higher than 1024, the Skype application will try to connect through ports 443 and 80.
The Skype application mostly uses User Datagram Protocol (UDP) for calls and TCP for messages, however the application may use either UDP or TCP for both calls and messages if there is no connectivity (for example, if UDP traffic is blocked). All messages that Skype sends are encrypted and are intended to select IP addresses at random.
The following best practices for blocking Skype apply to Next Generation Firewall (NGFW) versions 5.x to 6.x:
The Skype application element in Security Management Center can only detect traffic sent by Skype on ports 80 and 443. The application cannot entirely block Skype because it cannot be reliably detected when running on other ports.
The Skype Servers group was added in dynamic update 636; this includes the IP ranges covering all known Skype super nodes.
Note This group is actively updated in new update packages, so Forcepoint recommends you activate the latest package.
To prevent Skype usage and all login methods: