IT Administrators Guide Skype™ for Windows® version 4.2 Version 2.
Overview Skype lets your business work the way you want to, whatever the message, wherever people are. This guide shows you how to implement and manage Skype's business tools so that your business can save time, save money and stay ahead. Every business can start saving by downloading Skype. There are numerous benefits to your business: ˚˚ Calling: use free Skype-to-Skype calls, anywhere in the world. ˚˚ Video: have face-to-face meetings without leaving your desk.
Who should read this guide? This guide is for system and network administrators responsible for determining networking guidelines and for software on the Microsoft® Windows® platform.
Trade Marks Skype, the Skype logo, Skyper Manager, SILK are all trade marks of Skype Limited. Microsoft and Windows are registered trade marks of Microsoft Corporation in the United States and/or other countries. Linux is a registered trade mark of Linus Torvalds in the United States and other countries. Apple and Mac OS X are trade marks of Apple, Inc., registered in the United States and other countries. Asterisk is a registered trade mark of Digium, Inc.
Table of Contents 1.0 Introduction to Skype : Page 6 3.4.5 Adware and spyware : Page 23 3.4.6 Security and Skype for SIP : Page 24 1.1 How Skype can help your business : 3.4.7 Security summary : Page 24 Page 6 1.1.1 Skype : Page 6 1.1.2 Skype Manager : Page 7 1.1.3 Skype for SIP : Page 8 4.0 Appendix 1: Configurable policies : Page 26 5.0 Appendix 2: File locations : Page 29 2.0 Architecture overview : Page 9 2.1 The P2P architecture : Page 9 2.1.1 Nodes : Page 9 2.1.
1.0 Introduction to Skype Skype brings business people together, helping your business overcome the barriers of cost, distance and technology and allowing you to do more anywhere in the world. You can set up and start using Skype in no time. Reach colleagues and customers for less, improve meetings with face-to-face video calls and keep in touch with Instant Messenger (IM). You’ll discover more flexible ways of working together with Skype. 1.
You can view the selected online status of colleagues on Skype and contact them immediately via free Skype-to-Skype calls or IM. ˚˚ Have face-to-face meetings You can have face-to-face meetings at your desk with colleagues anywhere in the world using Skype-to-Skype video calls. ˚˚ Contact groups of people at the same time You can use multi-person video conferencing that's easy to set up, or create group IMs to use as discussion spaces or to share important information instantly over Skype.
1.1.3 Skype for SIP Skype for SIP is available via Skype Manager. If you have a SIP-enabled PBX, your business can take advantage of Skype's competitive global calling rates to landline and mobile phones. Also, if you have set up inbound calling, you can receive calls made from Skype users and configure your SIP-enabled PBX to direct those calls to your desk phones.
2.0 Architecture overview Skype's innovative collaboration and communications tools are quick to set up. The platform is primarily formed from Peer-to-Peer (P2P) nodes. Skype is largely self-managing. You won’t have lots of work managing the bandwidth configuration or Quality of Service settings. This means that as an administrator, you’ll be free to get on with everything else you need to do. Plus we don’t like to overburden you with new administration tools.
˚˚ Are allowed by your specific Group Policy Object (GPO) Only a very small percentage of Skype users in your network (if any) become supernodes, mainly because the majority of users have no public IP address. You can also deliberately prevent your users from becoming supernodes by using your Skype GPO Editor. For more information, please see 2.4 Skype client configuration and policies. Relay nodes are nodes outside your network.
it can use TCP for the media stream (with the additional overhead due to TCP being stateful). Before a user places their call, the client communicates with the peer network to test connectivity. It checks whether the outgoing UDP port is available and the type of address translation used by your network. Status checking and updating is also carried out through P2P architecture to identify a contact’s Status.
2.2.2 NAT configuration Skype automatically traverses most firewalls and NATs using UDP hole punching, a common technique favoured by Internet Engineering Task Force (IETF) standards, such as RFC 5389 (Session Traversal Utilities for NAT (STUN)). With hole punching, Skype clients that can’t communicate directly can communicate their networking parameters (remote node IP address and source port) through other hosts (relays). They then attempt to initiate direct UDP connections.
Note: Don’t worry if Skype establishes a large number of connections. 2.2.3 HTTPS/SOCKS5 proxies Many large organizations have firewalls that don’t meet these NAT requirements or employ other restrictive security policies, such as closing off high TCP or UDP ports. If this is the case, you can configure Skype to work through a SOCKS5 or HTTPS proxy.
2.2.5 Network impact Skype is uniquely designed to function over corporate networks with little impact on their performance. Providing specific details of the performance you can expect is difficult, given the range of Skype tools that could be in use. It also depends on the size of your Contacts list, how frequently the list is updated, and other factors. However, here are some very broad figures to help you design your corporate network.
vary significantly, depending on the number of contacts on each list and how often they change. Calculating specific background traffic requirements for a Skype session is complicated by many factors. This includes the size of a user’s contact list, how often they change their Status, maintenance traffic, and other Skype operations occurring at the time, for example, searches. To be conservative, you should plan on 200 bytes per second, but in practice, those numbers may vary significantly.
˚˚ File transfers ˚˚ Skype API ˚˚ Status type ˚˚ Personalization ˚˚ Proxy setting ˚˚ Premium services There are two ways to control Skype client configurations: ˚˚ Group Policy Objects (GPOs) and the registry (Windows only) ˚˚ XML-configuration files These all have a set precedence for managed settings. In order, these are: 1. HKLM (HKEY_LOCAL_MACHINE) registry keys, for all users on a given machine 2. HKCU (HKEY_CURRENT_USER) registry keys, for a specific user on a given machine 3. Shared.
The administrative template file doesn’t actually apply policy settings, but lets you see them in the GPO Editor. From there, you can create GPOs with the policy settings you want. For a complete list of the policies you can change, please see Appendix 1: Configurable policies. 2.4.3 XML configuration files The Skype client uses an XML file-based setup. The Mac OS X doesn’t have an equivalent to GPOs, so if you’re Mac computer-based, you’ll need to edit the XML files.
have signed up to Skype Manager as its administrator, you can set up business accounts for your employees and create groups to which those accounts belong, for example, Sales and Marketing. You can then buy and allocate Skype Credit to your users, assign features and, if you use a SIP-enabled PBX, use Skype for SIP to set up and manage SIP Profiles. You can also view real-time reporting about Skype usage and costs and print out company invoices. You can find Skype Manager at skype.com/business.
3.0 Security and privacy We’re committed to secure communications and protecting our users’ privacy. We follow the latest best practice in security, including: ˚˚ Encryption of data end-to-end with 256-bit AES encryption keys. of encryption keys which aren’t revealed to users or escrowed to third ˚˚ Protection parties and are discarded when the session ends. of credential-based identities and end-to-end encryption to make 'man-in˚˚ Use the-middle' attacks very unlikely.
In addition, Skype cannot protect users’ hardware against the introduction of spyware or malware, which could compromise the security of a Skype call; it is the user’s responsibility to ensure they have adequate anti-spyware and anti-virus protection on their hardware to prevent unauthorized eavesdropping in this manner. Please be aware that in some jurisdictions Skype works with in-country partners, who take overall responsibility for the Skype products in that market.
Specifically, users can set preferences determining whether: ˚˚ Anyone can call or IM ˚˚ Only people on their contacts list can call or IM In addition, file transfer preferences can be set independently of both calls and IMs. Users can also block a specific user from seeing their selected online Status or communicating, even if contact details have already been shared. The list of blocked users can be managed via their privacy settings. 3.3.
3.4.1 Password security Skype never requests a user’s account name or password by email. Skype passwords are stored as a non-reversible hash. The only areas where passwords are needed are when: ˚˚ Signing in to Skype ˚˚ Signing in to Skype Manager ˚˚ Managing Skype accounts at secure.skype.com/account/login in to other known-to-be-valid Skype accounts, such as developer.skype.
3.4.3 Falsifying user identity It's highly unlikely that anyone could impersonate another user’s Skype identity. We use public-key cryptography with signed digital credentials to authenticate users. Signed digital credentials are only valid for a limited period, then renewed for additional security. However, there’s currently no way to definitively check that a user’s offline identity matches their online identity.
3.4.6 Security and Skype for SIP Skype for SIP does not, currently, offer sRTP or other forms of voice encryption. Voice traffic should therefore be considered in the same light as non-encrypted email and other data traffic. If you feel that you may be at risk of ‘man in the middle’ or spoofing attacks you should seek the advice of a specialist network security consultancy.
your users to choose strong Skype passwords and to change them ˚˚ Instruct regularly. your users not to check remember my password when using Skype on a ˚˚ Instruct shared or public computer.
4.
DisableVersionCheckPolicy DisableVersionCheck, REG_DWORD = {0,1} Skype upgrade checks do detect new versions and updates are: 1 = disabled 0 = unset = enabled MemoryOnlyPolicy MemoryOnly, REG_DWORD = {0,1} Running Skype only in memory (without storing any data on the local disk) is: 1 = enabled, mem-only 0 = unset = disabled, disk storage is used Network ListenPortPolicy ListenPort, REG_DWORD = {0,1} Editing by user which port Skype listens to for incoming connections is: 1 = disabled 0 = unset = en
ProxyPolicy ProxySetting, REG_SZ = {string} Skype uses proxy settings: Empty string = unset = Skype tries to connect directly, if fails, then uses user defined proxy settings. “Automatic” = proxy settings are retrieved from the Windows proxy settings (internet options) “Disable” = user cannot modify proxy settings. “HTTPS” = forces Skype to use only HTTPS proxy, doesn’t try to connect directly. “SOCKS5” = forces Skype to use only SOCKS5 proxy, doesn’t try to connect directly.
5.
6.0 Appendix 3: Additional information For more information on Skype: for Business: ˚˚ Skype skype.com/business FAQs: ˚˚ Skype support.skype.com user guides: ˚˚ Skype skype.com/help/guides privacy policy: ˚˚ Skype’s skype.com/legal/privacy/general about Skype-compliant hardware: ˚˚ Information developer.skype.com/Certification/Hardware/CertifiedProducts about SILK: ˚˚ Information developer.skype.com/silk NAT RFC is RFC 4787 (NAT UDP Unicast Requirements): ˚˚ The tools.ietf.