Running Skype on the Local Network

Page last modified Tue Jul 22 10:05:43 2008

We do not officially support Skype or any network application which utilizes peer-to-peer (P2P) technology. Nonetheless, we won't arbitrarily ban the use of Skype, either. (P2P file sharing and video viewing is banned on the local network.) To run Skype here, though, you must take some precautions so that your computer isn't misidentified as a compromised/rogue system. If you are unable to meet these prerequisites, you cannot run Skype on the local network. In particular, you need to configure your computer as follows...

Skype Must Not Be Run Unattended

When you're not actively using Skype, it should not be running. In particular, if you're going to be away from your computer, Skype should be quit.

Set Skype to Run on Dedicated Port

Make sure Skype is configured to run on port 7650. Also, the option to use ports 80 and/or 443 as backup must be disabled. Your remote Skype contacts should also avoid using a port that is normally associated with undesireable traffic (see below). Ports 7634 through 7673 (inclusive) are currently unassigned at the time of this writing. (It may not be possible to control all these settings, depending on your operating system. You should apply whatever changes you can to operate in compliance with this policy.)

Disable Selected Outgoing Traffic

You must use a mechanism that allows you to block outgoing traffic on various ports, so that our firewall doesn't log prohibited traffic from your computer, which would lead to your system's network access being blocked. For Windows systems (which must be running Windows 2000 SP4 or better), you can install the McAfee VirusScan package available from OIT. This includes a feature identified as "Access Protection" with which you can block outgoing traffic from your system on a port-by-port basis. See below for the current list of ports which need to be blocked. Note that before you configure VirusScan to block these ports, you need to delete the file (normally) found here:

C:\Program Files\Network Associates\VirusScan\MID\vsecfg.cab

Under VirusScan 8.5 (or better) for Windows, the path to this file is as follows:

C:\Program Files\McAfee\VirusScan Enterprise\MID\vsecfg.cab

Failure to delete this file will prevent permanent changes (like modifications to the "Access Protection" rules) from being applied permanently. (In particular, if this file exists, any changes you make to VirusScan will be lost upon the next system restart.) Note that VirusScan cannot differentiate TCP traffic from UDP traffic. The UDP/TCP information provided, below, is for (other) systems which can tell the difference. In VirusScan v8.0, you just need to add or modify a rule for each entry, below. (Note that there are already rules for incoming and outgoing IRC defined; you merely need to modify the port range for these rules.) Under VirusScan 8.5, you need to enter a rule for each port (range), below, under "User-defined Rules."

For Mac OS X systems, we have not tested any mechanism for providing for this functionality, but the following products appear to offer it:

Little Snitch (Shareware)
Flying Buttress (Shareware)
Firewalk X (Shareware)
sunShield (Freeware)

In Linux, you need to use the iptables system for blocking these outgoing ports.

There are probably also some commercial solutions (which would most likely be more costly).

Here is a list of ports that need to be disabled for outgoing traffic:

In particular, you need to block traffic which attempts to open a listed port on a remote system from a local computer.

There will probably be other ports/protocols to be added to this list in the future, and/or the given port ranges or ports can be updated, so please check this page for updates from time to time. This is why the modification date is presented at the top of this page.