cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 21 of 23

Re: How Do I Selectively Control Skype with McAfee Web Protection?

This is more or less what i can confirm from my own experience with skype. Microsoft will argument that skype is a consumer product and isn't designed to be used in corporate networks. The solution is Skype for Busines.

-Sergej

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 22 of 23

Re: How Do I Selectively Control Skype with McAfee Web Protection?

Also see this KB article: McAfee Corporate KB - How to configure McAfee Web Gateway to not scan Skype traffic KB89194

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 23 of 23

Re: How Do I Selectively Control Skype with McAfee Web Protection?

Even Skype for Business (SfB) is a huge problem for web gateway control if SSL scanning is enabled (which it should be as now more than 50% of all web traffic is encrypted).

First, the current client will not accept even certs that are rewritten by a trusted certificate authority unless the rewritten cert includes OCSP and CRL information.

Secondly SfB runs non-HTTPS traffic (MS-TURN and SIP) using port 443 after the certificate has been verified by the client.

And thirdly, SfB requires on premise Skype servers with Internet access to essentially proxy the UDP and TCP SfB traffic that runs on ports other than 80 and 443, otherwise you have to open many additional holes in your firewall.

Regardless, you cannot currently use any web proxy to actually inspect Skype Consumer or Skype for Business traffic to any reasonable effect.

Furthermore the accommodations for allowing either version of Skype through a web proxy necessitates opening significant security holes as the proxy needs to take any indicators for inspection bypass directly from the client application with no verification. So, if a piece of malware assumes that the proxy is configured to allow Skype (either with exceptions to SSL scanning or no SSL scanning at all), then it can simply format its command, control, and exfiltration traffic to mimic MS-TURN and or SIP control traffic and by doing so completely avoid inspection unless rigorous certificate verification is performed on the web gateway which of course becomes even more challenging in transparent proxy deployments as there is nothing to enforce the client using SNI. (Yet another reason to use explicit proxy and client agents wherever possible)

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution in my reply so we can help other community participants?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community