Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 0 subscribers
  • Views 40940 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos web appliance and Skype

Sarah77

Hi there everyone.

I'm trying to use Skype in my organisation through the Sophos web appliance but I'm not having much luck.

Sophos are telling me that they "do not support proxying Skype through the Sophos Web Appliance". Skype can't give me a list of https websites or IP addresses to add the the scanning exemption list.

Has anyone else managed this because I need to get this working. I can't just bypass the proxy server for Skype, what's the point of having a proxy server if you do that !!!

Surely someone else has had this issue??? Help please.

Thanks

Sarah

:29627


This thread was automatically locked due to age.
  • 0
    Sarah, are you still looking for some help with this?
    :32651
  • 0

    If she's not, then I am.

    It seemed to work a while ago on our network, but now it doesn't.

    It is a very occasionally used so it could have been months ago, but skype is going to be used across our organisation now.

    Even turning off https scanning has no effect for us.

    I have read recommendations to use a socks proxy, but can't find a way of configuring one in the WA web interface.

    I'm not even sure if it our WA or our router blocking it, so is there a way of turning off the WA filtering to test?

    Thanks.

    :32669
  • 0

    Problems with Skype usually occur when HTTPS scanning is enabled.  The problem is that the traffic that Skype sends over port 443 (or via the proxy on port 8080) is not actually HTTPS traffic.  It's Skypes' own protocol for doing voip, im, file transfer etc...

    Because it isn't proper HTTPS the Web Appliance can't decrypt this traffic, scan it, and put it back together.  

    Because the appliance can't scan this traffic there is actually little benefit in sending it through the proxy.  I'd recommend to allow the traffic directly out through your firewall.  For those in bridged/transparent mode you may need to stop Skype using port 80/443:   https://support.skype.com/en-gb/faq/FA148/which-ports-need-to-be-open-to-use-skype-for-windows

    Smasshed - I'm afraid the WA can't be used as a SOCKS proxy.  But, there shouldn't be a problem with HTTPS scanning off.  Do you know what mode you are using (bridged/transparent/explicit)?

    Thanks,

    Tom.

    :32989
  • 0

    I have it working here at our office with Skype.  I can't remember right off hand what I did to get it to work.  I know we had to add Skype's website to a global allow list.  I think we had to open up the ports for video conferencing on our firewall.  And it seems like we had to add Skypes secure certificate to the HTTPS Certificate Scanning portion of the web appliance.

    I can't remember it all or exactly what we did.  And it has been a few months since we got that working.  I am sure it is still working but I am not a regular Skype user.  It is used by 2 of our employees to video conference with each other.  I will have to check with them to see if they are even using it and if they are using it if it is even working.

    When you go to use Skype - check to see what is getting blocked from your web appliance reports.  If it is a specific IP address getting blocked - might have to open that IP Address and any related ports on your firewall as well.

    I know this is probably more of a benign informational, non-informational post.

    If I can remember or figure out what I did to get it working I'll post back.  But my memory and recollection will be extremely rusty.

    ON EDIT:

    I have skype.com and skypeassets.com as Globally Allowed for sure.  I'll keep checking my other setttings on this.

    :33283
  • 0

    Thanks TomA for your reply.

    The WA is in Explicit mode.

    As i stated, the HTTPS scanning is off. I also noticed that this seemed to block log me in as well when turned on.

    Our support has opened a port on our firewall in the 1xxxx range and i have entered this in to skype as the port number to use, but with no joy. I have also tryed manually stating the proxy, with and without auth, with and without the domain and every combo i could think of.

    I've also added skype.com and skypeassets.com as trusted sites in the local site list as per taekwanleap's suggesion.

    any other idea's?

    Thanks

    :33761
  • 0

    Hi Smasshed,

    Are you sure there is nothing being blocked by your browsing policy?  The best way to check is to:

    - Reproduce the problem

    - Login to web appliance

    - Wait 1 minute (for search to index)

    - Go to 'Search > By user'

    - Enter your username (domain\user) and click search

    - Look for any blocked or warned requests

    In particular if you are blocking 'Uncategorized' sites or using the 'Block public IP access' options then this will affect Skype, because Skype connects to various IP addresses (without using hostnames).

    I also tried out Skype here and can't reproduce a problem, assuming HTTPS scanning is disabled.   However, it does seem that Skype will try to send some traffic directly via default gateway even when proxy settings are explicitly set.  I wouldn't rule this out as the cause and you should probably check your firewall logs to see what Skype is doing.

    Hope this helps.

    Tom.

    :33813
  • 0

    Thanks Toma

    Those settings seem fine.

    I have had an engineer from our support company in today, and easynet on the phone with them.

    Easynet have detected a potencial problem.

    will update you if it gets fixed.

    Thanks.

    :34061
Unfiltered HTML