- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x
The Skype client is able to connect successfully to the Skype network even if the client only has access to the Internet through an HTTP/HTTPS proxy server. Customers want to block skype connections, but the URL filter does not offer such an option.
Skype establishes HTTPS sessions directly to destination IP adresses, this is a rather unusual behaviour since most applications are addressing their destination for HTTPS sessions by their hostname.
The HTTP-proxy is able to filter HTTPS request that do have an IP address as destination. To make the proxy do so, you have to add the following lines to your HTTP proxy advanced configuration:
# Prevent Skype connecting HTTPs using CONNECT requests to IP addresses
acl CONNECT method CONNECT
acl NUMERIC-IPS url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+
http_access deny CONNECT NUMERIC-IPS all
# Prevent Skype connecting http
acl SKYPE-UA browser Skype
http_access deny SKYPE-UA
# Prevent anyone to download anything from skype website
acl SKYPE-DOMAIN dstdomain skype.com
http_access deny SKYPE-DOMAIN
Note:
These additions cause the HTTP proxy server to block all HTTPS requests that have an IP address as their destination. This may have negative effects on other applications that are setting up HTTPS connections via the proxy server.