Intermittent issue with Consumer Skype access when connecting transparently with SSL interception enabled.

book

Article ID: 168670

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Intermittent issue with Consumer Skype access when connecting transparently with SSL interception enabled.

Note: This article does not apply to Skype for Business.

Cause

The issue here is introduced by the interception mechanism that the SSL proxy uses. In order for the proxy to inspect the protocol going through port 443, it has to intercept the connection; this involves sending a SYN-ACK for a SYN packet from the Consumer Skype client on the TCP level. This can break Skype login because the Consumer Skype application probes a list of nodes or supernodes and a SYN-ACK causes Consumer Skype to assume the node is up when it may actually not be, because in reality it's the ProxySG responding, not the node. When the ProxySG attempts to connect to the node requested by the client, there might be a case where that particular Skype node/supernode is actually down. This would eventually cause the Consumer Skype client to fail login.

Resolution

Change the HTTPS service from SSL to TCP Tunnel, with protocol detection enabled, and, in Proxy Setting / General / Enable TCP Tunnel requests when a protocol error detected. This option only available after SGOS 5.5.

Install the following CPL policy into the Local policy file:
 

<proxy>
ALLOW request.header.User-Agent="WinINet HttpStack/15" policy.Disable_PD
ALLOW condition=Skype_URLs policy.Disable_PD
url.host.is_numeric=yes request.header.User-Agent=!".*" policy.Disable_PD

define condition Skype_URLs
url.domain=//skype.com/
url.domain=//skypeassets.com/
end

define Proxy policy Disable_PD
<Proxy>
detect_protocol[ssl, https](no)
end

Note: If ProxySG is running SGOS release 6.5.9.14, 6.5.9.15, 6.5.10.1 or 6.5.10.3 change 'detect_protocol [ssl,https](no)' to 'detect_protocol [ssl,https,sips,sip](no)'.  See article TECH246796 for more details.
 


To install this policy, please follow these steps:

 

  1. Select Configuration > Policy > Policy Files.
  2. Select Install Local File from, change the drop down from Remote URL to Text Editor and click Install.
  3. Paste the above policy just below anything that might already be there.
  4. Click Install.