This document describes an implementation where only certain users are allowed to use Consumer Skype. Other articles are available which can control Consumer Skype access by client IP address;however, if user-based access control to Consumer Skype is required, you can use SOCKS to do so (post-SGOS 5.5.x versions no longer allow this directly through Visual Policy Manager). SOCKS simplifies the process and is also more reliable, although some manual configuration of Consumer Skype client is also needed, so the process is not completely transparent to the end user. This document also presents caveats and security considerations.
Note that the following implementation is just an example; you might need to tailor the process to suit your exact business needs.
Consumer Skype tries multiple methods to connect to the Internet. In most secure environments, the organization’s firewall is configured to block all outbound traffic except for the traffic that comes from the proxy. At a very basic level, your firewall should be configured as follows:
permit ip host 10.91.25.10 any
deny ip any any
where 10.91.25.10 is the IP address of the proxy. This configuration allows only the proxy to communicate externally and prevents Skype from bypassing the proxy.
Note: This document assumes that a working authentication realm is configured on the proxy. In this scenario, an IWA realm using BCAAA has been previously configured.
Enabling Detect Protocol allows you more granular control later, but if you enable this, also enable the TCP tunnel requests when a protocol error is detected option (Configuration > Proxy Settings > General). Consumer Skype uses non-standard traffic that must be tunneled in any case.
The “SOCKSAuthenticate” is a “SOCKS Authenticate…” option, using the previously created IWA realm.
At the time of writing, Consumer Skype natively supports SOCKS proxies. To enable this functionality in Skype, select Tools > Advanced > Connection.
Select the SOCKS5 option and enter the appropriate information including the user credentials, as follows:
Consumer Skype should now be able to connect, but if no username and password is provided, connectivity is denied.
The source and destination object can be modified as appropriate. In the previous example, the destination object is port 23 (telnet), and service has a client protocol of all SOCKS:
This denies connections to telnet servers through SOCKS.
If protocol detect is enabled, any web access rules you define pertaining to content filtering should still work (though most browsers do not support SOCKS with authentication).