I want Skype to work whe my clients connect to the cloud service over IPSec

book

Article ID: 168303

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

I want Skype to work, but my clients connect to the cloud service over IPSec.
Allowing this requires some back-end policy changes per customer.

IMPORTANT: You must understand the risk before creating a change control request for this policy change.

RISKS: The policy change leaves open a small window for exploits to occur. If a piece of software discovers the proxy and it uses IP addresses instead of DNS names on CONNECT requests, SSL inspections do not occur. Normally, malicious attempts do not use valid certification or they use some protocol other than SSL on port 443. The IP addresses still go through the Web Security Service, but if no rating exists for the IPs, they might expose themselves. You must understand and accept the risk associated with using this solution.

Cause

Problem description: Skype is designed to be a peer-to-peer communication solution. As such, it can communicate over ports 80 and 443, but when it communicates over port 443, it doesn't necessarily communicate using SSL. For security reasons, the cloud service proxy checks traffic traversing over port 443 to ensure it is SSL traffic. If an invalid certificate passes; if no certificate is passed; or if the traffic is not 443 traffic, then the cloud proxy denies the traffic. Because Skype can communicate with any other node in the world, there is no way to whitelist any number of IPs for Skype. Skype's design makes it difficult to control.

Environment

Uses IPsec, which is a transparent proxy and does not use CONNECT requests that are used in an explicit deployment.

This is only for regular Skype, not Skype for Business.

Resolution

Please contact Support for assistance as this is back-end policy changes that must take place in order for Skype to work.

After the back end changes take place, please do the following:

The end user must manually configure a proxy in Skype.  To configure a proxy in Skype:

  1. Tools > Connection Options > Advanced > Connection
  2. Input port 80 for the incoming connection
  3. Select Use port 80 and 443 for additional incoming connections box
  4. The default Proxy setting is Automatic proxy detection. Change it to: HTTPS
  5. Host: ep.threatpulse.net
  6. Port: 80
  7. Save and restart Skype

Clients can login to Skype assuming their policy allows Chat/IP Telephony and the None category is not blocked. If there are issues during their testing, create a rule for one user at the top and do an allow all and see if that works.  Depending on the results, the policy may need to be reviewed to determine what may be preventing Skype from working