How to block SKYPE when it's using port 80 & 443 in a network. ( better if I can do it by using ISA 2006 and without disabling web) I know if users can't install skype they wont be able to use it. So without that?
A) Use blacklisting software or configure policies in AD to block the skype executable.
B) Use a firewall that can do the deep packet inspection and block the traffic.
C) Use your DNS server to intentionally poison requests to skype.com and their associated servers so you prevent skype from connecting.
D) Use software auditing programs and periodically get a report that will tell you who has skype installed and, through company policy, remind them that it's a firing offense if they repeatedly install software on company computers.
E) Remove privileges to users that enable software installation without administrative access.
A quick summary of things that have worked and that probably will work now. All of these will require that you have some form of proxy server, but will probably work with a transparent Squid proxy. They may work with ISA 2006, but I've never used it so I make no promises.
Older versions used a User-Agent string including "skype", so blocking on that could work. Newer versions don't include User-Agent, because it was being used to block.
Older versions connected using IP addresses rather than names. Newer versions apparently use names instead, because people were blocking on https to IP addresses.
Approaches that will likely work now, but which may cause problems of various severity for other applications as well:
Find out the pattern used for the skype domain names and add blocking of those (or if possible, introduce a 2-5 second delay only on those). I did not see any documentation of the domain name patterns used. The delays are for semi-public networks where you want to discourage use by making voice/video quality completely unacceptable without eliminating access for messaging and the website.
Continue to block connections going directly to IP addresses - there's little legitimate reason to do this in these days of HTTP/1.1. For that matter, it might be possible to block HTTP/1.0 but I'm not sure of repercussions.
Continue to block connections with "skype" in the User-Agent
Add blocking of connections with no User-Agent specified (this may break some applications depending on your environment)
If possible, make a policy of blocking Skype with penalties for using it known to your users and follow through.
If it's a corporate environment, make it a corporate policy and publicize several writeups of people for violating corporate computer use guidelines (with no names). This will help address people who install bootleg software or hardware.
If it's a non-corporate environment, make it a policy that computers seen violating the policy (with some leeway for warnings) will lose access to the network, then be ready to do MAC-level blocking or filtering.
You either need something that can do deep-packet inspection, and identify Skype traffic within the packet to use as "block" criteria, or you need to know what external host(s) to simply block access to. I'm not that familiar with the Skype architecture, I'm not sure if it has to go through a central server for any purpose. If it doesn't, then you can't do it the second way.
Since you're using MS ISA Server I'd recommend installing the firewall client on each machine (deploy via AD if possible). You can then block on a per-process basis.
Of course this will only block Windows clients though
A) Use blacklisting software or configure policies in AD to block the skype executable.
B) Use a firewall that can do the deep packet inspection and block the traffic.
C) Use your DNS server to intentionally poison requests to skype.com and their associated servers so you prevent skype from connecting.
D) Use software auditing programs and periodically get a report that will tell you who has skype installed and, through company policy, remind them that it's a firing offense if they repeatedly install software on company computers.
E) Remove privileges to users that enable software installation without administrative access.
A quick summary of things that have worked and that probably will work now. All of these will require that you have some form of proxy server, but will probably work with a transparent Squid proxy. They may work with ISA 2006, but I've never used it so I make no promises.
Approaches that will likely work now, but which may cause problems of various severity for other applications as well:
See http://wiki.squid-cache.org/ConfigExamples/Chat/Skype
You either need something that can do deep-packet inspection, and identify Skype traffic within the packet to use as "block" criteria, or you need to know what external host(s) to simply block access to. I'm not that familiar with the Skype architecture, I'm not sure if it has to go through a central server for any purpose. If it doesn't, then you can't do it the second way.
Since you're using MS ISA Server I'd recommend installing the firewall client on each machine (deploy via AD if possible). You can then block on a per-process basis.
Of course this will only block Windows clients though