Enabling Skype to work with the Smoothwall web filter

Article #:

Product

Castle

KB-16

Web filtering

All

Summary

A guide to allowing Skype to work with the Smoothwall web filter

Problem

Depending on how your firewall or web filter is configured, you may experience problems allowing or blocking the Skype VOIP client.

Solution

These instructions will allow access, but will reduce the level of filtering and outbound Internet security on your network, a full technical explanation and the risks involved are also explained below under technical details

For Skype to work reliably you need to either:

Allow direct outbound access on your firewall for all TCP ports above 1024.

-- or --

Allow Skype via your Smoothwall Guardian by not filtering or inspecting HTTPS traffic to addresses containing IPs. Skype.com and connect.facebook.com domains are also accessed by the client and should not be blocked.

Technical details

Skype use their own proprietary protocol based on a peer to peer network rather than SIP protocol used by other VOIP systems. Skype's own recommendations on allowing access through firewalls is to open all TCP ports above 1024 ( https://support.skype.com/en-gb/faq/FA148/Which-ports-need-to-be-open-to-use-Skype ) or open outbound ports 80 and 443. The client by default will try to detect your OS/Browser proxy settings and use those if direct outbound access is unavailable.

Under connection settings Tools > Options > Advanced > Connection you can also manually specify your proxy settings and basic proxy authentication details. From our own research we have found that Skype will attempt to make direct UDP and TCP connections to peers via the IP on any port above 1024, if that fails it will attempt to connect via a configured proxy and access peers on HTTPS port 443 again using their IP addresses.

From an Internet security and web filtering point of view this causes problems; If you do as they suggest and allow all outbound access to TCP ports above port 1024 to any destination address you will also be allowing other applications that communicate on those ports, such as P2P file sharing applications and web filter bypass proxies such as Ultrasurf. If you leave those ports closed and force Skype to use your Smoothwall web filter instead this can also cause problems. If you are blocking "All HTTPS sites which contain an IP address" or have any HTTPS certificate inspection or interception policies in-force on the traffic it will still be blocked.

As Skype uses randomly selected peer addresses you cannot simply bypass these policies by whitelisting them, but you would need to instead disable those policies entirely or whitelist all URLS containing an IP address. However this will reduce your level of web filtering and may allow access to some HTTPS web filtering bypass sites.

Attribution:

Last updated:

Author:

Contributions by:

24 April 2017

 

 

 

 

Copyright © 2000-2016 Smoothwall All rights reserved.