How to free skype?

Question

How to free skype? 
 
 We have skype released for some user however skype accesses more does not send messages

Edson Siqueira · Answer

Hi everyone, 
 
 I found a solution to this issue: 
 
 Go to "Application" > "Application Fliter" > take a look of the "Filters" on this tab and edit all to see wich one have the "Skype" and "uncheck them. 
 
 In my case this works fine, but I had to open all "Filters" to found and disable the block of skype.

If any one have another solution, please send to us.

Edson Siqueira · Answer

Hi everyone, 
 
 Look at this screenshots and knows how to allow Skype others applications that Sophos Firewall can block/allow. 
 
 What we have to be in mind is that Sophos XG Firewall take the application layer (OSI model), the most of application can be block or allow in this "firewall filter". 
 
 I also put here the screnshot of "Log Viewer" there you can see whats is going on the Sophos XG Firewall.

I hope to help you guys... 
 
 PS.: If you try to allow Skype or others application by IP, URL, Domain, Port or something, this will take a lot of time and may not works. Skype for example use a lot of Ports, IP, URL and Microsoft DNS to go to internet.

tejas dhotre · Answer

SOLUTION 
 
 Providing workaround for the Skype VOIP issue as follows,

Creating below FQDN list on XG

tr001.skype-edf.akadns.net 
 
 1.dr.skype-cr.akadns.net 
 
 2.dr.skype-cr.akadns.net 
 
 3.dr.skype-cr.akadns.net 
 
 4.dr.skype-cr.akadns.net 
 
 5.dr.skype-cr.akadns.net 
 
 6.dr.skype-cr.akadns.net

Creating new network/user rules prior to the one configured to decrypt HTTPS traffic. Adding above FQDN object as destination and make sure that you uncheck &ldquo;Decrypt & Scan HTTPS&rdquo;.

Re-dial phone or video on Skype again.

I have tried this workaround and it seems to be workable. If possible, please try again in your lab environment. 
 
 Please do not use web exception to do this because Skype using IP address to connect to their server instead of hostname, and they make the connection through CDN. Hence, using IP address as the rule of bypass won&rsquo;t work.

sachingurung · Answer

Hi Maviael, 
 I think you are trying to allow access to Skype, check which FW-rule blocks the skype connection. Verify the application filter configured within the rule and allow the Skype signature. You can try packet capture option in XG to learn the FW rule ID. 
 Thanks

Aditya Patel · Answer

Hi Jason, 
 In the HTTPS Scanning exceptions could you add these URLS mentioned below. 
 api.skype.com Business apps.skype.com Business community.skype.com download.skype.com login.skype.com pipe.skype.com secure.skype.com www.skype.com www.skypeassets.com 
 
 Also allow access to these subnets: 
 91.190.216.0/255.255.255.0 
 91.190.218.0/255.255.255.0

sachingurung · Answer

Hi Jason, 
 Check #1 in my guide here . Try to make a call and check if you capture any drops. 
 Thanks

Aditya Patel · Answer

Hi ALL, 
 We have a Known issue with Skype at the moment and the BUG ID NC-14551, In the mean time we have a Work Around , kindly follow the steps 
 Step1: Go to Web > Exceptions > Add Exceptions 
 Step 2 : Select Web Site Categories > Add new item >IP address 
 Step 3: Check on HTTPS Decryption and save . 
 Make sure the rule is enabled.

saspus · Answer

Thank you for /dumpmsnp - very handy. 
 I've found that for iOS Skype this would not be enough. What made it work is the following: 
 1. Allow "Skype Services" and "Torrent Clients P2P" (for some reason it is detected as one) through Application policy 2. Add the following into Web Filtering Exceptions and skip HTTPS decoding AND malware scanning 
 ^([A-Za-z0-9.-]*\.)?microsoft\.com/ 
 ^([A-Za-z0-9.-]*\.)?skype\.com/ 
 ^([A-Za-z0-9.-]*\.)?trouter\.io\.?/ 
 ^login\.live\.com/ 
 ^rps\.trafficmanager\.net\.?/ 
 ^s\.gateway\.messenger\.live\.com/ 
 ^ssw\.live\.com/ 
 
 (note trouter.io and trafficmanager.net, all Microsoft domains) 
 I succeeded making Video and Audio calls from and to iOS 10 device with these settings. This seems to be minimum necessary set.