Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Skype/Office365 Problems with SSL Proxy

    Cache/Proxy
    2
    2
    3.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JStyleG7X
      last edited by

      This is a follow up to an old post I saw on the boards but the issue is still present to those who may encounter it.

      Original post: https://forum.pfsense.org/index.php?topic=87154.0

      I have Office365 in use for a customer and also have a squid SSL proxy for the internal business Vlans.  When trying to run Lync/Skype for Business it will fail to connect however disabling the SSL proxy seems to resolve the issue.

      After looking at the proxy logs and the Lync tracing files I found the following problem/solution.

      Problem: Microsoft uses several load balanced servers so the ip addresses are not always the same for someserver.online.lync.com.  Since wildcards do not necessarily work correctly in pfsense (you can sort of make it work by pointing it to one IP however this removes the load balanced redundancy of Microsoft and potentially allowing for it to stop working if that one IP address is ever unreachable).

      Lync Online URLs

      _    *.online.lync.com
          *.onmicrosoft.com
          *.infra.lync.com
          *.lync.com_

      Your Company URL's (may vary)
      sip.yourdomain.com
            lyncdiscover.yourdomain.com

      After reviewing the tracing file from the Lync client I found the following URL's were trying to be reached by port 443.
      webdir1a.online.lync.com
      sipdir.online.lync.com
      sipfed1A.online.lync.com
      sippoolbn11a07.infra.lync.com

      Although I initially attempted to simply add these to my "Proxy_Bypass_Hosts" alias it did not work since the IP's would vary from what unbound initially saw upon startup.  What I saw in the squid log were random destination ip addresses trying to connect on port 443 (no dns name showed for the ip's).

      Solution: Using Robtex.com and each of the above URL's I could see the block of ranges associated with the domains.  After checking these I simply added the ranges to my "Proxy_Bypass_Ranges" alias and Lync connected without a problem.

      sipdir.online.lync.com
      131.253.128.0/17
      132.245.0.0/16
      23.103.128.0/17
      66.119.144.0/20

      sippoolbn11a07.infra.lync.com
      131.253.128.0/17

      webdir1a.online.lync.com
      sipfed1A.online.lync.com
      134.170.0.0/16

      I've always used two proxy bypass aliases for this specific reason.  I had to do the same thing for Netflix.

      1 Reply Last reply Reply Quote 0
      • C
        chidgear
        last edited by

        This is for Lync but, it worked for skype too?
        I'm having issues with skype from december (2015) until now. My pfSense has squid3+Squidguard+Lightsquid on transparent mode+Man in the Middle(hor http & https filtering). I'm trying to bypass the Skype servers IP address and nets but, until now, I had no luck…

        "Unable to connect with Skype" shows when I open Skype. If I bypass from the proxy the IP of the PC where skype is running, Skype works without troubl; removed the bypass, the issue comes back.

        Any advise or tip (or cheatsheet) are welcome :D

        Thanks in advance.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.