8 Replies Latest reply on Oct 8, 2013 10:50 AM by Jon Scholten

    Webwasher and Skype

      Hi everyone,

      I was wondering if you knew whether it is able to configure the web gateway to allow skype through.  I tried enabling tunneling for skype.com (I couldn't figure out any of their SIP Server IPs).  Any tips on how to go ahead with this?

        • 1. Re: Webwasher and Skype

          Hi Bittis,

          I also had some "bad time" with skype traffic through webwasher. The way that I see things, is that webwasher can analyse web traffic and not VOIP that's why the issue occurs. I had played a lot with different ports and so on, but finally I decided to setup a socks proxy on Webwasher, and through the command line to allow access to some users to use it.

          Ok.. thats not the best solution, but it was a way to resolve my issue, as not all users were allowed from the organization's policy to use skype.

          • 2. Re: Webwasher and Skype
            Jon Scholten

            The problem with Skype is that it connects randomly to many different IP addresses, not skype.com. You can see this behavior by looking at an access log when a skype client is trying to get out under Reporting > View Log Files, then view the HTTP access log. In cases that I have seen it would use their traffic (not sure if its VOIP or what) within a SSL tunnel, also, most of these sites have invalid certificates, which does not bode well when SSL scanning is enabled.

             

            If you look at http://community.mcafee.com/thread/21070, user PhilM gives a very long description of his troubles with Skype in general, not pertinant to Web Gateway (Webwasher) but still useful.

             

            In regards to Webwasher, if you wanted you could setup a separate proxy port with a policy assigned to that port, that does not have SSL scanning enabled, this will allow the traffic to pass without being inspected by the SSL scanner. To restrict access you could set the 'Allow access from' to be only the client IP addresses that you allow to use Skype. Then in the skype client you would need to configure a proxy:port manually. You could configure this "skype" policy like you do any other policy so URL filtering is still enabled.

             

            The SOCKS proxy is also an option but isn't as easy as it is not configurable from the GUI.

             

            ~Jon

            • 3. Re: Webwasher and Skype

              Hi Jon,

               

              could you describe exactly what needs to be done here, please? We have a transparent proxy environment and authentication (PBR on FW, port forwarding on WW proxy), both http and https proxy enabled, 2 policies used to completely block certain AD users and allow the rest. Skype must be allowed for these, but it only works if https proxy disabled.

               

              So, I can add port 1080 for example, create a new policy Skype, assign it to this port - what next? How do I bypass or tunnel Skype traffic  based on a policy?

               

              If it can't be done through GUI, please describe how to do it via SOCKS.

               

              Thanks.

              • 4. Re: Webwasher and Skype
                Jon Scholten

                Hey vnuk,

                 

                In my previous post, I have described what needs to be done. Both cases require configuring of skype, you can find how to configure the SOCKS proxy in our KB (https://kc.mcafee.com/corporate/index?page=content&id=KB64595).

                 

                Let me know exactly what you had questions on, and perhaps how I can clarify the steps.

                 

                ~Jon

                • 5. Re: Webwasher and Skype
                  smalldog

                  Hi All, i have some problems with Skype. And have solutions for this? I need allow skype through web gateway proxy. So could you tell me how to config? Thanks!

                  • 6. Re: Webwasher and Skype
                    Troja

                    Hi all,

                    i took a look at a wireshark trace. I saw the following error message from MWG.

                     

                    <td class="contentData">

                          The SSL handshake could not be performed

                    </td>

                    <td class="infoData">

                          <b>Host: </b>208.88.186.8<br />

                          <b>Reason: </b>error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

                    </td>

                     

                    As shown MWG is not able to make the SSL Handshake. This must be in this way because skype is using a non RFC compliant SSL communication.

                    I build a Rule in the SSL Scanner Ruleset where "broken SSL Handshakes" are allowed.

                     

                    As a security concern, the ruleset should be modified to allow only specific clients to use skype. Because when adding the ruleset any "curious" SSL handshake is allowed.

                     

                    Have fun,

                    cheers, Thorsten

                     

                    Skype_exclusion_SSL_Scanner.JPG

                    • 7. Re: Webwasher and Skype
                      smalldog

                      Thanks Thorsten!

                      • 8. Re: Webwasher and Skype
                        Jon Scholten

                        As stated in thread: https://community.mcafee.com/message/305443#305443

                         

                        I'm just noticing this now, but for everyone who created a rule using "SSL.Server.Handshake.CertificateIsRequested" should not being doing this.

                         

                        In effect, you are just bypassing SSL scanning in the event that a client certificate is NOT requested (which is most SSL traffic).

                         

                        Best,

                        Jon