When using a proxy (such as Sophos UTM) in Standard mode, enabling Skype is unfortunately not as simple as allowing the application in Application control. This article will take you through configuring Sophos UTM to allow Skype communication without issues.
By default, the Category you need to allow for Skype is Email and Messaging, as it contains the sub categories Chat, Instant Messaging, Web Meeting, Web phone etc.
Typically you would have already done this, but unfortunately it is usually not enough to get the Skype application working through the UTM.
The Skype application may start up and display the main window, but it will not be able to get online. You will be stuck with the rotating blue dot with white arrows.
Due to the way the Skype application works, you need to ensure that Skype can communicate with the Skype servers without being subject to web filtering, AV scans, extension blocking and so on. To do this:
There are a few settings to check in Skype itself:
** Depending on your environment you might have to specify credentials but in a typical Windows Domain environment where everything is configured for AD SSO it is not required.
If everything works, then great! You are all done. If it does not, keep reading to learn how to troubleshoot this issue.
The Skype application does some interesting things when connecting to the Skype servers. The best way to see exactly what it is up to is to run a trace using Sophos UTM's Web Protection live log, and tracking the traffic.
The Skype application starts off as you would expect, sending requests to multiple Microsoft sites, as well as to the public certificate authorities.
The initial traffic is allowed through because of the allowed web categories for the user.
The proxy then challenges the user for authentication with a status code 407, and the Client then resends the request with the authentication included, and it is allowed through.
The second phase is what requires the exception. You will notice traffic as follows:
\[7608\]: id="0003" severity="info"
sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.90.18.181" dstip="" user="" ad_domain="" statuscode="407" cached="0" profile="REF_HttProContaMgmt1Netwo (Default)" filteraction=" ()" size="2503" request="0x876c2000" url="https://126.96.36.199/" referer="" error="" authtime="8" dnstime="0"cattime="0" avscantime="0" fullreqtime="277" device="0" auth="2" ua=""
There are a few strange things here:
The list of IP URLs imported earlier is what has worked for me. Your instance of Skype may be connecting to different servers due to geographic boundaries. Adding your own is easy though.
The regular expression I used is a simple one that is easy modify as required.
To update your list of subnets you would only be changing the middle section. Once you have added the additional ranges, restart Skype and it should work. If not, repeat the troubleshooting steps in order to cover all the required IP ranges.
I hope this helps anyone else having issues getting Skype to work over Sophos UTM, or any other Standard Proxy.
Download the free 30 day trial, or schedule a demo and we'll show you how it works!
How to Configure Multiple Site-to-Site SSL VPNs with Sophos UTM
Deploying Endpoint Protection with Sophos UTM and Enterprise Console