I want Skype to work, but my clients connect to the cloud service over IPSec. Allowing this requires some back-end policy changes per customer.
IMPORTANT: You must understand the risk before creating a change control request for this policy change.
RISKS: The policy change leaves open a small window for exploits to occur. If a piece of software discovers the proxy and it uses IP addresses instead of DNS names on CONNECT requests, SSL inspections do not occur. Normally, malicious attempts do not use valid certification or they use some protocol other than SSL on port 443. The IP addresses still go through the Web Security Service, but if no rating exists for the IPs, they might expose themselves. You must understand and accept the risk associated with using this solution.
Uses IPsec, which is a transparent proxy and does not use CONNECT requests that are used in an explicit deployment.
This is only for regular Skype, not Skype for Business.
Problem description: Skype is designed to be a peer-to-peer communication solution. As such, it can communicate over ports 80 and 443, but when it communicates over port 443, it doesn't necessarily communicate using SSL. For security reasons, the cloud service proxy checks traffic traversing over port 443 to ensure it is SSL traffic. If an invalid certificate passes; if no certificate is passed; or if the traffic is not 443 traffic, then the cloud proxy denies the traffic. Because Skype can communicate with any other node in the world, there is no way to whitelist any number of IPs for Skype. Skype's design makes it difficult to control.
Please contact Support for assistance as this is back-end policy changes that must take place in order for Skype to work.
After the back end changes take place, please do the following:
The end user must manually configure a proxy in Skype. To configure a proxy in Skype:
Select Use port 80 and 443 for additional incoming connections box
The default Proxy setting is Automatic proxy detection. Change it to: HTTPS
Save and restart Skype
Clients can login to Skype assuming their policy allows Chat/IP Telephony and the None category is not blocked. If there are issues during their testing, create a rule for one user at the top and do an allow all and see if that works. Depending on the results, the policy may need to be reviewed to determine what may be preventing Skype from working
Imported Document ID: 000022754
Subscribing will provide email updates when this Article is updated. Login is required.