Denying Instant Messenger Protocols via Policy Based Rule’s

Below is a list of the main Instant Messenger applications (including ports and destinations) for the denial of use via policy based rules.

Please note : With creating policy based rules the following rules will be required,

  1. Destination any with a service port of the below ports (excluding http and https)
  2. Destination of the below with a service port of http/https.
Protocol  Port Destination
IRC tcp 6665-9n/a  
MSN tcp 1863
Yahoo tcp 5050
tcp 5000-1
tcp 5100
AOL tcp 5190
Google Talk tcp 5222
Skypetcp/udp 1024-65535


Skype can be extremely difficult to block due to the way in which the Skype protocol functions.

The Skype protocol is designed by default to circumvent conventional firewall blocking methods. It will attempt to connect via ephemeral ports UDP/TCP 1024-65535, if connection via any ports within these ranges fail it will attempt to connect out using HTTP or HTTPS.

The only way to block this traffic is via payload inspection, which is typically performed via IDS/IPS engines.
Due to the initial server / client message exchange being non-SSL, denying payloads which include the value 0x170310000 will prevent the establishment of Skype.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial