How To Allow Skype Through Sophos UTM in Standard Proxy Mode

When using a proxy (such as Sophos UTM) in Standard mode, enabling Skype is unfortunately not as simple as allowing the application in Application control. This article will take you through configuring Sophos UTM to allow Skype communication without issues.

Step 1. Allow the Correct Web Categories

By default, the Category you need to allow for Skype is Email and Messaging, as it contains the sub categories Chat, Instant Messaging, Web Meeting, Web phone etc.

Typically you would have already done this, but unfortunately it is usually not enough to get the Skype application working through the UTM.

The Skype application may start up and display the main window, but it will not be able to get online. You will be stuck with the rotating blue dot with white arrows.

Step 2. Create a Web Protection Exception

Due to the way the Skype application works, you need to ensure that Skype can communicate with the Skype servers without being subject to web filtering, AV scans, extension blocking and so on.  To do this:

1. Browse to  Web Protection | Filtering Options | Exceptions Tab
2. Click + New Exception List
3. Name: Skype
4. Check all the boxes for Skip these Checks
5. For Request : Select Matching these URLs
6. Click the Menu Icon and select import
7. Paste the following list and click Import
   • ^https://(111\.221\.74\.)(

[0-9]{1,3})- ^https://(111\.221\.77\.)([0-9]{1,3})

• ^https://(157\.55\.130\.)([0-9]{1,3})
• ^https://(157\.55\.235\.)([0-9]{1,3})
• ^https://(157\.55\.56\.)([0-9]{1,3})
• ^https://(157\.56\.52\.)([0-9]{1,3})
• ^https://(213\.199\.179\.)([0-9]{1,3})
• ^https://(64\.4\.23\.)([0-9]{1,3})
• ^https://(65\.55\.223\.)([0-9]{1,3})
• ^https://(91\.190\.218\.)([0-9]{1,3})
• ^https://(90\.48\.45\.)([0-9]{1,3})
• Click Save to create and save the exception
• Ensure the Exception is enabled

Step 3. Configure Skype Connection Settings

There are a few settings to check in Skype itself:

1. In Skype, open Tools | Options| Advanced | Connection (navigation may vary depending on your Skype version)
2. Ensure the checkbox for Use port 80 and 443 for additional incoming connections is checked
3. Ensure Automatic proxy detection is selected.
4. Do not specify credentials for authentication**
5. Save  and restart Skype

** Depending on your environment you might have to specify credentials but in a typical Windows Domain environment where everything is configured for AD SSO it is not required.

If everything works, then great! You are all done. If it does not, keep reading to learn how to troubleshoot this issue.

Troubleshooting Skype Connections through Sophos UTM

The Skype application does some interesting things when connecting to the Skype servers. The best way to see exactly what it is up to is to run a trace using Sophos UTM's Web Protection live log, and tracking the traffic.

The Skype application starts off as you would expect, sending requests to multiple Microsoft sites, as well as to the public certificate authorities.

The initial traffic is allowed through because of the allowed web categories for the user.

The proxy then challenges the user for authentication with a status code 407, and the Client then resends the request with the authentication included, and it is allowed through.

The second phase is what requires the exception. You will notice traffic as follows:

2015:12:14-12:21:22 sutm01-1httpproxy

					\[7608\]: id="0003" severity="info" 

sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.90.18.181" dstip="" user="" ad_domain="" statuscode="407" cached="0" profile="REF_HttProContaMgmt1Netwo (Default)" filteraction=" ()" size="2503" request="0x876c2000" url="https://109.161.215.125/" referer="" error=""  authtime="8" dnstime="0"cattime="0" avscantime="0" fullreqtime="277" device="0" auth="2" ua=""

There are a few strange things here:

• There is no destination ip
• The URL is an ip address https://109.x.x.x
• The User agent (UA) is blank
• The status code 407 – authentication request is never responded to by the Skype App

The list of IP URLs imported earlier is what has worked for me. Your instance of Skype may be connecting to different servers due to geographic boundaries. Adding your own is easy though.

The regular expression I used is a simple one that is easy modify as required.

^https://(111\.221\.74\.)(

[0-9]{1,3})

• ^https:// - means only match https and not http
• (111\.221\.74\.) – is a group matching the first three bytes of the IP address observed in the log. As . is a special regex character, you need \ in front of each . as an escape character.
• ([0-9]{1,3}) – allows any character 0-9 for one to three characters (the class C address)

To update your list of subnets you would only be changing the middle section. Once you have added the additional ranges, restart Skype and it should work. If not, repeat the troubleshooting steps in order to cover all the required IP ranges.

I hope this helps anyone else having issues getting Skype to work over Sophos UTM, or any other Standard Proxy.