I also had some "bad time" with skype traffic through webwasher. The way that I see things, is that webwasher can analyse web traffic and not VOIP that's why the issue occurs. I had played a lot with different ports and so on, but finally I decided to setup a socks proxy on Webwasher, and through the command line to allow access to some users to use it.
Ok.. thats not the best solution, but it was a way to resolve my issue, as not all users were allowed from the organization's policy to use skype.
The problem with Skype is that it connects randomly to many different IP addresses, not skype.com. You can see this behavior by looking at an access log when a skype client is trying to get out under Reporting > View Log Files, then view the HTTP access log. In cases that I have seen it would use their traffic (not sure if its VOIP or what) within a SSL tunnel, also, most of these sites have invalid certificates, which does not bode well when SSL scanning is enabled.
If you look at http://community.mcafee.com/thread/21070, user PhilM gives a very long description of his troubles with Skype in general, not pertinant to Web Gateway (Webwasher) but still useful.
In regards to Webwasher, if you wanted you could setup a separate proxy port with a policy assigned to that port, that does not have SSL scanning enabled, this will allow the traffic to pass without being inspected by the SSL scanner. To restrict access you could set the 'Allow access from' to be only the client IP addresses that you allow to use Skype. Then in the skype client you would need to configure a proxy:port manually. You could configure this "skype" policy like you do any other policy so URL filtering is still enabled.
The SOCKS proxy is also an option but isn't as easy as it is not configurable from the GUI.
could you describe exactly what needs to be done here, please? We have a transparent proxy environment and authentication (PBR on FW, port forwarding on WW proxy), both http and https proxy enabled, 2 policies used to completely block certain AD users and allow the rest. Skype must be allowed for these, but it only works if https proxy disabled.
So, I can add port 1080 for example, create a new policy Skype, assign it to this port - what next? How do I bypass or tunnel Skype traffic based on a policy?
If it can't be done through GUI, please describe how to do it via SOCKS.
In my previous post, I have described what needs to be done. Both cases require configuring of skype, you can find how to configure the SOCKS proxy in our KB (https://kc.mcafee.com/corporate/index?page=content&id=KB64595).
Let me know exactly what you had questions on, and perhaps how I can clarify the steps.
Hi All, i have some problems with Skype. And have solutions for this? I need allow skype through web gateway proxy. So could you tell me how to config? Thanks!
i took a look at a wireshark trace. I saw the following error message from MWG.
The SSL handshake could not be performed
<b>Host: </b>188.8.131.52<br />
<b>Reason: </b>error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
As shown MWG is not able to make the SSL Handshake. This must be in this way because skype is using a non RFC compliant SSL communication.
I build a Rule in the SSL Scanner Ruleset where "broken SSL Handshakes" are allowed.
As a security concern, the ruleset should be modified to allow only specific clients to use skype. Because when adding the ruleset any "curious" SSL handshake is allowed.
As stated in thread: https://community.mcafee.com/message/305443#305443
I'm just noticing this now, but for everyone who created a rule using "SSL.Server.Handshake.CertificateIsRequested" should not being doing this.
In effect, you are just bypassing SSL scanning in the event that a client certificate is NOT requested (which is most SSL traffic).