Processing Skype Through a ProxySG Appliance

book

Article ID: 169054

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Please note that this article no longer contains our recommendations for Office 365 traffic processing and has been moved to an internal audience only.  Bypassing SSL and/or turning off protocol detection is not the recommendation.  The current recommendation for Skype for Business can be found in the Office 365 interoperability with ProxySG and ASG article.  Recommendations for Consumer Skype can be found in other articles such as:
Controlling access to Consumer Skype with the ProxySG
How to disable the Detect Protocol option for Consumer Skype on the ProxySG
Configuring User-based access control for Consumer Skype on the ProxySG using SOCKS
URLs and IPs used by Consumer Skype for ProxySG Policy Definition
 

There are issues with Skype through a ProxySG or wanting to deploy Skype to users who access the Internet through a ProxySG appliance.

This includes Skype (Free edition). Skype for Business Formerly Microsoft LYNC would be better handled with 6.7.x SGOS and would also be included with the about Imoperability Article

Cause

There are effectively two issues presented by Skype's design:

  1. Skype uses a proprietary SSL exchange that, when SSL interception is used on the ProxySG, can cause Skype traffic to fail. If SSL traffic for Skype is bypassed or tcp tunneled through the unit, connections will function.  This is a security mechanism that can only be overcome by forcing the proxy globally into a non-secure state by using tunnel on protocol error.  Not only is this not secure, there is no guarantee it will work and is directly not recommended to resolve issues with Skype
  2. Skype uses unique ciphers and encryption algorithms or versions that are so rare in the wild/undisclosed to the public that the ProxySG does not support them.

 


Additionally, the Skype desktop application ignores explicit proxy settings.  Whether this is design or not has never been disclosed by Microsoft.

 

 

Resolution

The best option is to consult Microsoft Support for assistance, as their application is proprietary, non publicly documented, and is capable of changing at any time Microsoft chooses.  Their own documentation will defer you to a Microsoft certified technician for assistance with setting up Skype Free Version with a Proxy.



 

Workaround

The most effective workaround is to TCP tunnel the application through the proxy.  This is problematic for the following reasons:

1.  The IP's and URL's in use can only be determined from observation as Microsoft does not publicly disclose this information.  These are also subject to change without notice.
2.  With Explicit proxy, the Skype application likely will not reliably continue explicit communication, which will cause oddities based on some tcp sockets owned by the proxy while others owned only by the client


Otherwise, you should disable SSL decryption against the Skype URLs and IPs depending on your deployment type (Explicit is best with URL while Transparent is best with IP)