cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
McAfee Employee smasnizk
McAfee Employee
Report Inappropriate Content
Message 21 of 23

Re: How Do I Selectively Control Skype with McAfee Web Protection?

This is more or less what i can confirm from my own experience with skype. Microsoft will argument that skype is a consumer product and isn't designed to be used in corporate networks. The solution is Skype for Busines.

-Sergej

McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 22 of 23

Re: How Do I Selectively Control Skype with McAfee Web Protection?

McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 23 of 23

Re: How Do I Selectively Control Skype with McAfee Web Protection?

Even Skype for Business (SfB) is a huge problem for web gateway control if SSL scanning is enabled (which it should be as now more than 50% of all web traffic is encrypted).

First, the current client will not accept even certs that are rewritten by a trusted certificate authority unless the rewritten cert includes OCSP and CRL information.

Secondly SfB runs non-HTTPS traffic (MS-TURN and SIP) using port 443 after the certificate has been verified by the client.

And thirdly, SfB requires on premise Skype servers with Internet access to essentially proxy the UDP and TCP SfB traffic that runs on ports other than 80 and 443, otherwise you have to open many additional holes in your firewall.

Regardless, you cannot currently use any web proxy to actually inspect Skype Consumer or Skype for Business traffic to any reasonable effect.

Furthermore the accommodations for allowing either version of Skype through a web proxy necessitates opening significant security holes as the proxy needs to take any indicators for inspection bypass directly from the client application with no verification. So, if a piece of malware assumes that the proxy is configured to allow Skype (either with exceptions to SSL scanning or no SSL scanning at all), then it can simply format its command, control, and exfiltration traffic to mimic MS-TURN and or SIP control traffic and by doing so completely avoid inspection unless rigorous certificate verification is performed on the web gateway which of course becomes even more challenging in transparent proxy deployments as there is nothing to enforce the client using SNI. (Yet another reason to use explicit proxy and client agents wherever possible)

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.