Re: [fw-wiz] Skype through a firewall?

On 8/25/06, Paul D. Robertson <paul@xxxxxxxxxxxx> wrote:
On Thu, 24 Aug 2006, Kevin wrote:
Is anybody permitting Skype through a HTTP or SOCKS proxy?
I've been instructed to "make Skype work", and short of opening up the

Whenever you have a "this application must work," you should look at what
the actual requirement is...

I wish I could.

Unfortunately, when a request comes down from a personality spoken of
primarily by their three-letter first name, bearing the title "SVP/
CTO $REMOTESITE", the actual requirement is that the buzzword-friendly
Skype desktop application must work. No excuses.

If I could show Skype itself (or the firewall policy changes to enable
it) pose "an immediate threat to the security, performance or
stability of the corporate intranet", then I can use policy to say no,
even to a SVP or CTO.

What little I know from my own testing and from published research is
that the binary is encrypted and debugger-resistant, as is the
protocol, and that the P2P nature of Skype makes me very
uncomfortable. But that's not enough to deny this V(I)P's request.

outbound policy to permit TCP and UDP to every possible destination IP
on every possible port, the next best thing seems to be to use the
HTTPS and SOCKS5 proxy settings included in most platforms/versions of

Opening a HTTPS proxy for Skype requires at a minimum permitting
outbound "CONNECT" to every possible destination IP on port 443, and
disabling any IPS or other device which might detect that the protocol
running across port 443 isn't really SSL. Many proxy gateways
currently don't inspect the protocol, this is how Skype works through
Squid and other web proxies.

I'm running into some odd issues while trying to write a reasonable
proxy policy for Skype and still have reliable calling and reasonable
audio quality.

Any hints?

1. Terminal Service to a TS in the DMZ with the client loaded.

Thanks, that's an interesting idea.
I know RDP can route audio outbound to the client, but how do I get
the microphone audio back out?

2. Asterisk PBX in the DMZ as a gateway (much more fun) with IAX2 or SIP
client access from the LAN. Do all the conference bridge stuff on
Asterisk and gateway a single Skype call at a time if you need to using
psgw_linux ($20.)
3. Deny the request as unreasonablely out of kilter with the security
policy in place and make them do the requirement over.

See above :(

firewall-wizards mailing list

Relevant Pages

  • Re: [fw-wiz] Skype through a firewall?
    ... Then you've failed policy 101. ... Skype desktop application must work. ... applications to work through the firewall, ... Opening a HTTPS proxy for Skype requires at a minimum permitting ...
  • Re: Patch-Bloedsinn, eine Anfrage!
    ... gegen sämtliche Sicherheitsvereinbarungen in seinem Arbeitsvertrag, ... Aber nimm dem System auf dem Skype läuft die blind akzeptierende default ... Route und den fehlerhaft abgesicherten Proxy weg und schon steht's. ...
  • Re: Ausschliesslich Skype erlauben
    ... Naja, bei Unis hat sich wohl die Auffassung durchgesetzt, daß ... Provider fungieren. ... Klar ist, daß es keinen sicheren proxy für Skype geben wird, solange das ...
  • Re: Not able to allow skype
    ... week ago I saw in the monitoring that it's trying to go over port 33033. ... Sometimes you are able to sign in to skype but not to call. ... will have trouble then connecting from home with a proxy filled in. ... Can it be something to do with the webproxy filter which is on for http ...
  • Re: Newsgroup filtering with host server software
    ... Well, in China, I have no problem using Skype through my private ... my proxy, then change my browser settings to use it. ... her a login and password to my encrypted proxy. ...