There are issues with Skype through a ProxySG or wanting to deploy Skype to users who access the Internet through a ProxySG appliance.
This includes Skype (Free edition). Skype for Business Formerly Microsoft LYNC would be better handled with 6.7.x SGOS and would also be included with the about Imoperability Article
There are effectively two issues presented by Skype's design:
Skype uses a proprietary SSL exchange that, when SSL interception is used on the ProxySG, can cause Skype traffic to fail. If SSL traffic for Skype is bypassed or tcp tunneled through the unit, connections will function. This is a security mechanism that can only be overcome by forcing the proxy globally into a non-secure state by using tunnel on protocol error. Not only is this not secure, there is no guarantee it will work and is directly not recommended to resolve issues with Skype
Skype uses unique ciphers and encryption algorithms or versions that are so rare in the wild/undisclosed to the public that the ProxySG does not support them.
Additionally, the Skype desktop application ignores explicit proxy settings. Whether this is design or not has never been disclosed by Microsoft.
The best option is to consult Microsoft Support for assistance, as their application is proprietary, non publicly documented, and is capable of changing at any time Microsoft chooses. Their own documentation will defer you to a Microsoft certified technician for assistance with setting up Skype Free Version with a Proxy.
The most effective workaround is to TCP tunnel the application through the proxy. This is problematic for the following reasons:
1. The IP's and URL's in use can only be determined from observation as Microsoft does not publicly disclose this information. These are also subject to change without notice. 2. With Explicit proxy, the Skype application likely will not reliably continue explicit communication, which will cause oddities based on some tcp sockets owned by the proxy while others owned only by the client
Otherwise, you should disable SSL decryption against the Skype URLs and IPs depending on your deployment type (Explicit is best with URL while Transparent is best with IP)
There are other non-secure best effort methods that you can employ. As these deployment and configuration methods are insecure, they are offered for your information only. They are listed in the following KB articles:
If none of the above solutions meet your organization's security criteria, Blue Coat suggests that you contact Microsoft to suggest continued improvement of the Skype application to function in a proxy environment.
Imported Document ID: 000031040
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe