When using a proxy (such as Sophos UTM) in Standard mode, enabling Skype is unfortunately not as simple as allowing the application in Application control. This article will take you through configuring Sophos UTM to allow Skype communication without issues.

Step 1. Allow the Correct Web Categories

By default, the Category you need to allow for Skype is Email and Messaging, as it contains the sub categories Chat, Instant Messaging, Web Meeting, Web phone etc.

Typically you would have already done this, but unfortunately it is usually not enough to get the Skype application working through the UTM.

The Skype application may start up and display the main window, but it will not be able to get online. You will be stuck with the rotating blue dot with white arrows.

 

Step 2. Create a Web Protection Exception

Due to the way the Skype application works, you need to ensure that Skype can communicate with the Skype servers without being subject to web filtering, AV scans, extension blocking and so on.  To do this:

  1. Browse to  Web Protection | Filtering Options | Exceptions Tab
  2. Click + New Exception List
  3. Name: Skype
  4. Check all the boxes for Skip these Checks
  5. For Request : Select Matching these URLs
  6. Click the Menu Icon and select import
  7. Paste the following list and click Import
    • ^https://(111\.221\.74\.)(
[0-9]{1,3})
  • ^https://(111\.221\.77\.)([0-9]{1,3})
  • ^https://(157\.55\.130\.)([0-9]{1,3})
  • ^https://(157\.55\.235\.)([0-9]{1,3})
  • ^https://(157\.55\.56\.)([0-9]{1,3})
  • ^https://(157\.56\.52\.)([0-9]{1,3})
  • ^https://(213\.199\.179\.)([0-9]{1,3})
  • ^https://(64\.4\.23\.)([0-9]{1,3})
  • ^https://(65\.55\.223\.)([0-9]{1,3})
  • ^https://(91\.190\.218\.)([0-9]{1,3})
  • ^https://(90\.48\.45\.)([0-9]{1,3})
  • Click Save to create and save the exception
  • Ensure the Exception is enabled
  • Step 3. Configure Skype Connection Settings

    There are a few settings to check in Skype itself:

    1. In Skype, open Tools | Options| Advanced | Connection (navigation may vary depending on your Skype version)
    2. Ensure the checkbox for Use port 80 and 443 for additional incoming connections is checked
    3. Ensure Automatic proxy detection is selected.
    4. Do not specify credentials for authentication**
    5. Save  and restart Skype

    ** Depending on your environment you might have to specify credentials but in a typical Windows Domain environment where everything is configured for AD SSO it is not required.

    If everything works, then great! You are all done. If it does not, keep reading to learn how to troubleshoot this issue.

    Troubleshooting Skype Connections through Sophos UTM

    The Skype application does some interesting things when connecting to the Skype servers. The best way to see exactly what it is up to is to run a trace using Sophos UTM’s Web Protection live log, and tracking the traffic.

    The Skype application starts off as you would expect, sending requests to multiple Microsoft sites, as well as to the public certificate authorities.

    The initial traffic is allowed through because of the allowed web categories for the user.

    The proxy then challenges the user for authentication with a status code 407, and the Client then resends the request with the authentication included, and it is allowed through.

    The second phase is what requires the exception. You will notice traffic as follows:

    2015:12:14-12:21:22 sutm01-1httpproxy
    [7608]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.90.18.181" dstip="" user="" ad_domain="" statuscode="407" cached="0" profile="REF_HttProContaMgmt1Netwo (Default)" filteraction=" ()" size="2503" request="0x876c2000"  url="https://109.161.215.125/" referer="" error=""  authtime="8" dnstime="0"cattime="0" avscantime="0" fullreqtime="277" device="0"  auth="2" ua=""