Managing Skype in business
Telephone calls are expensive, and VoIP solutions have become a popular alternative to the traditional PABX. One of the more popular tools is the eBay-owned Skype, a consumer VoIP service that’s gained sizable market share among business uses.
There’s a lot that’s good about Skype: free PC-to-PC calls, as well as instant messaging, multi-person conference calls and video calling. It also lets your clients call internationally-hosted free phone numbers without incurring international call costs – something that can get pricey when it’s a US 1-800 number for sales information or the audio channel to a webinar or a WebEx conference. But there are also plenty of issues with Skype, as you also get the problem of managing a large number of individual accounts and dealing with the bandwidth requirements of Skype’s unique directory service.
Unlike many other VoIP services, Skype doesn’t use a centralised directory service. Built on techniques developed for P2P file sharing, Skype uses a distributed directory that shares its details across the millions
of PCs currently connected to the network. While that sounds innocuous, there’s a problem for networks connected to high-bandwidth connections, as Skype’s directory needs supernodes to direct Skype-to-Skype calls between users behind NAT connections. Skype supernodes don’t only just manage directory lookups, they also proxy voice calls and file transfers. If your clients have plenty of bandwidth there’s a risk that any Skype clients on their network can become a supernode, affecting network performance and using up the business’s bandwidth allocation very quickly.
The set of Active Directory Group Policies you can use to control instances of Skype on a network you manage don’t allow you to disable Skype, but they allow you to control many of Skype’s key features, from locking down the ports used to connect to the Skype network, to controlling how copies check for updates, and disabling third-party add-ons by limiting access to the Skype API. One of the more useful features prevents all the copies of Skype on a network you manage from becoming supernodes.
The ADM template files are on the Skype Web site at www.skype.com/se... (there’s a PDF guide to using them at www.skype.com/bus...). You can use them with any Active Directory management tool to build and manage the GPOs you need, so you can assign appropriate policies to individuals, groups or roles within an AD.
These are the key policies to use to keep Skype under control on your clients’ networks:
Setting this policy prevents users from using Skype’s built-in file transfer tools. This closes a possible channel for unauthorised file transfers.
Skype’s API allows third-party applications to link into Skype (and Skype to link out into other desktop tools). Disabling this minimises security risks, reducing the risk of Skype acting as a malware vector. It also prevents unauthorised call recording, as well as blocking Skype’s access to Outlook and other productivity tools.
Locking Skype down to use specific ports can help with network management and security. Use this policy to set the listening port, where Skype listens for connections. Other related policies allow you to control the HTTP ports used, as well as preventing UDP connections.
Use this policy to prevent all the copies of the Skype client on your clients’ networks from becoming supernodes, keeping bandwidth usage to a minimum.
Skype will normally check automatically for new versions. This GPO prevents them from doing so, making sure that your clients’ installations are all the same version – making it easier to support and manage. You can use the MSI installer to roll out new versions as and when needed.
There’s another side to managing Skype: paying for it. The standard model for working with Skype is for each user to individually buy credit that can be used for calls. Skype now offers a Business control panel which can be used to manage all the users at a single company. You can use it to assign credit to individual accounts, and also get details of what calls have been made and what text messages users have sent. Accounts can be given quotas to keep spending under control. The control panel will also help you manage any numbers associated with a business Skype account, assigning dial-in numbers to individual Skype users and moving them between accounts as and when required.