Intermittent issue with Consumer Skype access when connecting transparently with SSL interception enabled.
Note: This article does not apply to Skype for Business.
The issue here is introduced by the interception mechanism that the SSL proxy uses. In order for the proxy to inspect the protocol going through port 443, it has to intercept the connection; this involves sending a SYN-ACK for a SYN packet from the Consumer Skype client on the TCP level. This can break Skype login because the Consumer Skype application probes a list of nodes or supernodes and a SYN-ACK causes Consumer Skype to assume the node is up when it may actually not be, because in reality it's the ProxySG responding, not the node. When the ProxySG attempts to connect to the node requested by the client, there might be a case where that particular Skype node/supernode is actually down. This would eventually cause the Consumer Skype client to fail login.
Change the HTTPS service from SSL to TCP Tunnel, with protocol detection enabled, and, in Proxy Setting / General / Enable TCP Tunnel requests when a protocol error detected. This option only available after SGOS 5.5.
Install the following CPL policy into the Local policy file:
define condition Skype_URLs
define Proxy policy Disable_PD
Note: If ProxySG is running SGOS release 22.214.171.124, 126.96.36.199, 188.8.131.52 or 184.108.40.206 change 'detect_protocol [ssl,https](no)' to 'detect_protocol [ssl,https,sips,sip](no)'. See article TECH246796 for more details.
To install this policy, please follow these steps:
Select Configuration > Policy > Policy Files.
Select Install Local File from, change the drop down from Remote URL to Text Editor and click Install.
Paste the above policy just below anything that might already be there.
This article contains information previously documented in article 000016278.
Imported Document ID: 000025754
Subscribing will provide email updates when this Article is updated. Login is required.