Intermittent issue with Consumer Skype access when connecting transparently with SSL interception enabled.
Article ID: 168670
Updated On:
Products
Issue/Introduction
Intermittent issue with Consumer Skype access when connecting transparently with SSL interception enabled.
Note: This article does not apply to Skype for Business.
Cause
The problem is caused by the interception mechanism that the SSL proxy uses. In order for the proxy to inspect the protocol on port 443, it has to intercept the connection; this involves replying to a SYN packet from the Consumer Skype client with a SYN-ACK. This can break the Skype login because the Consumer Skype application probes a list of nodes or supernodes. The SYN-ACK from the proxy causes the Consumer Skype to assume the node is up when it may not be, because it's the ProxySG responding, not the node. When the ProxySG attempts to connect to the node requested by the client, there might be a case where that particular Skype node/supernode is down. This will cause the Consumer Skype client to fail the log in process.
Resolution
Change the HTTPS service from SSL to TCP Tunnel, with protocol detection enabled.
Under Proxy Settings > General, Enable TCP Tunnel requests when a protocol error detected.
Install the following CPL policy into the Local policy file:
ALLOW request.header.User-Agent="WinINet HttpStack/15" policy.Disable_PD
ALLOW condition=Skype_URLs policy.Disable_PD
url.host.is_numeric=yes request.header.User-Agent=!".*" policy.Disable_PD
define condition Skype_URLs
url.domain=//skype.com/
url.domain=//skypeassets.com/
end
define Proxy policy Disable_PD
<Proxy>
detect_protocol[ssl, https](no)
end
To install this policy, please follow these steps:
- Select Configuration > Policy > Policy Files.
- Select Install Local File from, change the drop down from Remote URL to Text Editor and click Install.
- Paste the above policy just below anything that might already be there.
- Click Install.
Feedback
