Blocking Skype (but not Lync/SfB)

[paradigm]

A request has come from the upper echelons of the business (and finally backing up my suggestion from two years ago) that we need to block regular Skype, but continue to allow SfB (with Skype/External contacts allowed).

I'm just pondering the best way to block Skype.

If it helps, we are end-to-end networked using Cisco Layer 3 switching (3750X), Cisco Routers and Cisco ASA-5512Xs. Can I block Skype traffic whilst leaving Lync traffic unaffected?

We also have SCCM at our disposal.

Alternatively I could just set an execution policy in GPO ("Don't run specified Windows Applications"), or configure a "Software Restriction Policy" in GPO.

What way would you guys approach this?

Also for forcefully removing Skype is that best done through GPO or SCCM? Skype was never pushed out to users, only installed Ad-Hoc when requested.

 

[skyripper]

Load Fiddler on a machine, track what URLs are being used during the Skype login process, then get them blocked at the content checker.

My organisation just inadvertently blocked it as Skype added a new URL which didn't make it to our whitelist :-[

 

[Felix]

Does your firewall offer layer 7 app control?

Alternatively does your AV software offer app control?

 

[Deathwish]

Maybe AppLocker policy ? Block the running of exe from the installed folder.

 

[Ploppy2k3]

remove Skype (home version) with SCCM and then as users shouldn't be able to install stuff anyway they cant put it back. Install the proper S4B client via SCCM as required.

You will run in to issues trying to allow Skype For business with open federation and not allowing the Home Skype version as they use some of the same urls.