How do  I control user access to Consumer Skype?
I would like to implement user-based access to Consumer Skype
What is the best way to block / prevent Consumer Skype?

Note:  This article does not apply to Skype for Business.

Using explicit Proxy deployment: 

The following was tested using Consumer Skype 4.2.x.  Please note that the Skype protocol and application behavior may change at any time.

1. On the firewall, block all outbound traffic except proxy traffic (this is what most explicit proxy deployments should have)

2. Step 1 will force Consumer Skype to use the proxy settings taken from Internet Explorer (IE) since it cannot reach other Skype nodes directly.

3. On the ProxySG install the following CPL into a CPL layer in VPM, or into the local policy file.  For information on how to add CPL to the local policy file, please see 000010101.  The local CPL to use should read:

<Proxy>

    DENY url.host.substring=skype

    DENY http.method=CONNECT url.regex="[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}"

Alternatively, the below accomplishes the same:

<Proxy>

    DENY url.host.substring=skype

    DENY http.method=CONNECT url.host.is_numeric=yes

Explanation of Code:

The first rule simply blocks any host containing "skype" and forces Consumer Skype to go over port 443. The second rule states "block any CONNECT request made directly to an IP instead of a URL (FQDN)"

Consumer Skype, when it can't connect directly, will fall back to the proxy and will try encrypt connections and try to contact "super nodes", which are usually IP addresses stored in a file in the Skype folder. But when observing normal user traffic, 99% of the time never this traffic never connects directly to an IP. That is to say you almost never see "CONNECT 192.0.2.1". Instead usually what is observed is "CONNECT example.com" for example.

With the above CPL code in place, Consumer Skype will open but never connect. Almost all other traffic is untouched.

 The CPL rules can also be made to apply on certain users and groups only, while allowing access to others

Caveats:

1. This method could change at any time because of the closed source nature of Consumer Skype.

2. This method may have collateral damage on other applications. There may be some enterprise environments with custom built applications that may run into issues, or some forms of IM may break. However, please note that it is a lot easier to make exceptions for these because, unlike Consumer Skype, they are not peer-to-peer in nature so the destination IPs are easily obtained and added to a whitelist.

3. Transparently deployed proxies will not be able to use the above method. In transparent proxy the HTTP CONNECT method is not used. SSL interception must be enabled in order to decrypt the encrypted traffic. However, because Consumer Skype does not use valid SSL traffic, the proxy will "break" the connection Consumer Skype is attempting, resulting in loss of connectivity across all the network. In essence, it is not possible to control Consumer Skype in transparent mode, the application must be set to explicit proxy mode.

Lastly, please note further tweaking of the policy may be necessary to avoid false positives (i.e. the policy blocking other applications apart from Consumer Skype)