Audio, video, and/or desktop sharing with Skype for Business (SfB) does not work when the following conditions are true:
SfB uses multiple protocols when establishing connections, connecting to meetings and sharing content. Two protocols used when audio, video, or desktop sharing is part of a Skype meeting are Session Initiation Protocol (SIP) and Traversal Using Relay NAT (MS-TURN) over Pseudo-TLS. Both of these protocols use the SSL port but either do not follow the SSL protocol completely or use a protocol within SSL that is not HTTPS. When these protocols are sent through a ProxySG or Advanced Secure Gateway appliance, they could be disconnected or fail because SIP and MS-TURN is not following a protocol specification that the proxy understands.
A new feature was added to the ProxySG that allows detection and correct processing of SIP and MS-TURN traffic. With this feature, audio, video, and desktop sharing with SfB meetings work without issues when a ProxySG or Advanced Secure Gateway appliance is processing the traffic. This feature is available in SGOS 6.5.10.4.
Notes:
See article 000032599 which includes information on added support for OCSP/CRL check processing which is also part of the SfB feature and is needed for being able to log into SfB and/or join meetings.
Step 1 - Enable protocol detection
After upgrading the appliance to a release with the new feature, services must be modified to ensure that protocol detection is enabled. This is needed for SIPS and MS-TURN traffic passing through those services to be detected.
Step 2 - Trigger protocol detection for SSL interception
Next, add/modify policy that triggers protocol detection for SSL interception. Optionally, block unknown protocols using SSL.
Step 3 - (Recommended) Add CPL to deny unknown protocols using SSL
When policy includes the object configured in Step 2, the appliance STunnels unknown protocols using SSL. This behavior is different from using the HTTPS interception object which responds with an error when an unknown protocols uses SSL. To emulate the HTTPS interception object behavior while still being able to use SSL interception with automatic protocol detection, add the CPL in this step.
If you are running a release that does not support SIP and MS-TURN protocol detection, refer to the following workarounds.
To prevent SIP requests from failing, install SNI-based bypass policy with SSL intercept (SGOS 6.5.6.1 and later):
<ssl-intercept>
url.host.substring=url_substring ssl.forward_proxy(no)
ssl.forward_proxy(https)
Where url_substring is:
To prevent MS-TURN requests from failing, enable tunnel on protocol error using the CLI command:
#(config general) tunnel-on-protocol-error enable