disturbedone
Vendor
I'm the IT manager at a school. We have a proxy server, Netbox Blue, that does both HTTP and HTTPS inspection (something that most do not) and it's the HTTPS inspection that cause a problem with Skype.
Windows users have a Group Policy that forces Internet Explorer, and therefore anything within Windows, to use the direct proxy connection of Netbox by using a .pac file. This scenario works perfectly.
Users of mobile devices connect to WiFi and can be a mixture of Android, iOS and Windows. Because these devices cannot be controlled by Group Policy there is no way to force the direct proxy settings. Because of this I have configured our Cisco core router with a policy to route any traffic on that VLAN on ports 80 & 443 to the transparent proxy connection of Netbox (different to the transparent proxy). Because our Cisco ASA5520 firewall blocks all ports that are not specified Skype attempts to use 80/443 even though it does not use the HTTP or HTTPS protocols and because of this Netbox is unable to handle the traffic. This to me says it's a Skype problem - it should not be using 80/443 as it is not HTTP/HTTPS but I understand the reason is that those ports are likely to be open as everyone will be connected to the Internet and most won't have a proxy server.
Getting users to enter proxy server details in the application is out of the question - it's too hard to manage and instruct users and when they go offsite they'll need to change it again.
Netbox have a way to trace the IP addresses that Skype is connecting to and configure the proxy to bypass anything going to these addresses. the problem is that the list is now 500+ and grows as Skype continually tries to connect to new addresses. Managing this is time consuming and pointless. There must be an easier way.
I've heard that Skype will attempt to connect to "high numbered ports" and if they're open through the firewall then it will not attempt to connect on 80/443. But I can't find what these ports are. I've also seen that these ports vary depending on which Skype server it connects to ie it's not as simple as just opening eg TCP/40000.
Anyone know how to resolve this issue?
Windows users have a Group Policy that forces Internet Explorer, and therefore anything within Windows, to use the direct proxy connection of Netbox by using a .pac file. This scenario works perfectly.
Users of mobile devices connect to WiFi and can be a mixture of Android, iOS and Windows. Because these devices cannot be controlled by Group Policy there is no way to force the direct proxy settings. Because of this I have configured our Cisco core router with a policy to route any traffic on that VLAN on ports 80 & 443 to the transparent proxy connection of Netbox (different to the transparent proxy). Because our Cisco ASA5520 firewall blocks all ports that are not specified Skype attempts to use 80/443 even though it does not use the HTTP or HTTPS protocols and because of this Netbox is unable to handle the traffic. This to me says it's a Skype problem - it should not be using 80/443 as it is not HTTP/HTTPS but I understand the reason is that those ports are likely to be open as everyone will be connected to the Internet and most won't have a proxy server.
Getting users to enter proxy server details in the application is out of the question - it's too hard to manage and instruct users and when they go offsite they'll need to change it again.
Netbox have a way to trace the IP addresses that Skype is connecting to and configure the proxy to bypass anything going to these addresses. the problem is that the list is now 500+ and grows as Skype continually tries to connect to new addresses. Managing this is time consuming and pointless. There must be an easier way.
I've heard that Skype will attempt to connect to "high numbered ports" and if they're open through the firewall then it will not attempt to connect on 80/443. But I can't find what these ports are. I've also seen that these ports vary depending on which Skype server it connects to ie it's not as simple as just opening eg TCP/40000.
Anyone know how to resolve this issue?
