Because Microsoft uses non standard HTTP/HTTPS connections the Sophos XG Firewall's HTTP scanning feature has the potential to prevent Skype for business from working or may cause random call drops. This article explains how to allow this traffic through the XG without being scanned. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
There are two different methods to bypass HTTPS Scanning on Skype for Business. The first method requires creating web exceptions and using regular expressions to cover all of the domains provided by Microsoft. The FQDN list is located at Office 365 URLs and IP address ranges. This method may be easier to implement, especially if you are able to quickly add regular expressions but some scanning and other security/integrity checks may still compromise or stop communication with the Skype servers.
To get the best performance have the traffic completely bypass the web proxy with a new firewall rule. The new rule should be at the top of the list or at least above other rules that would modify Skype traffic.
To create a firewall rule to exclude Skype for Business from the web proxy:
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.