Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Skype unable to connect behind ssl transparent proxy (Squid3 + squidguard)

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 3 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chidgear
      last edited by

      Hi all!
      Long time no see. I had my pfSense working flawlessly for sometime, I was very happy with it until something weird started to happen…
      Since the last week on 2015, Skype have issues when connecting from a computer that is behind the pfsense transparent proxy (squid3 with ssl filtering) and squidguard.
      The issues are:
      -If an older version of Skype is used, Skype gets auto-updated, connects, and, if I write a text message, skype reports that the text messages could not be delivered, but the user on the other side gets the messages, with a random delay, but the user gets them (even if the program says the opposite).
      -If the account was setup in the older version to autologin, it logs on normally, but the issue described above repeats.
      -If someone logs out from skype to log in again, or are trying to log in for first time in the updated skype, the message "Sorry, we couldn´t connect to Skype" appears. If i press the retry button, skype flashes but the message appears again.

      Doing some tests, I deactivated squidguard (sometimes, at the start, it gave me troubles) but the result was the same. Then, I deactivated "Squid3 https/ssl filtering", then the issue was gone, so I got the source of the problem: the SSL filtering.
      Since I'm using an ssl-transparent proxy (man in the middle), I used the "pfsense CA certificate" method. In some websites it has failed showing a handshake error, so I bypassed that site obtaining it's ip address and ranges and putting them into the "Bypass Proxy for These Destination IPs" field (using an alias). It has worked for dropbox too, so I tried with skype.
      Currently, I ran out of verified addresses. The text messages now are marked as delivered, but if I log out, it becomes impossible to log in again, the "sorry, we couldn't connect to skype" message appears.
      Now the question is:
      Do anyone knows how to solve this issue, without loosing the https filtering? (I need to filter https websites). I think I'm missing something…
      From what I know, Microsoft did a change in their servers not long ago, but I dont know if this affected services like Skype when their packages are oppened by the proxy and re-packaged using the proxy certificate...

      I was advised to use WPAD but, currently, I haven't got a PC to use it for test (I don't want to test it directly on the running pfsense, since it's being used for nearby 70 users every day.

      Greetings, and thanks in advance! :D

      1 Reply Last reply Reply Quote 0
      • C
        chidgear
        last edited by

        Okay, I respond partially to myself (this isn't over yet), but if someone gets it useful, here are some progress I did.

        Looking on other forums and internet articles, I found a buddy having a similar trouble, caused by his skype version. Once discarded that their windows and IE version where the problem, one user said:

        What do you see now when you open this link in your Internet Explorer?

        https://apps.skypeassets.com/static/skype.client.l​​​​​​​​​ogin/3.0/3.30/release/login.html

        This gave me an idea… I tried it on a restricted machine and Voila! it showed the IP's I needed in the squid error screen saying that there was a handshake error. I putted the IP's on the bypass and skype worked again. I can log in and out anytime, and send messages without the message saying that cannot be delivered.
        (It could change on time, but until today, these where the IP addresses:

        23.73.247.53
23.2.99.20
23.11.250.157

        all of them provided (in some or another way) from apps.skypeassets.com

        I added these ips, and the FQDN apps.skypeassets.com to the bypass and the login issue was over. Now, there is another issue.
        The files cannot be sent, and I cant see all my contacts in realtime. I guess this is a matter of the skype cloud, so I'll keep digging. If someone wants to help, or has some information about the skype cloud IPs, I'll be gratefull.

        0_0)b Good luck!

        references: Sorry, we couldn't connect to skype. please check …

        1 Reply Last reply Reply Quote 0
        • K
          killmasta93
          last edited by

          remember something dont block 443 or 80 tutorials say to do it so people wont change the proxy settings to use system settings

          But instead create alias give the users that are naughty static Ip and restrict them to not use 443 and use transparent proxy for port 80

          Tutorials:

          https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

          1 Reply Last reply Reply Quote 0
          • A
            aman0999
            last edited by

            chidgear Thanks

            Your Logic worked for me using SSL with transparent mode and skype working Fine.
            including group conversation + File send / receive

            All what we need to do, as Microsoft added some IP's in its AS Number Network IP series.
            use this to find it.
            whois -h whois.radb.net '!gAS198015'

            Link is here , you get the Info.
            http://bgp.he.net/AS198015#_asinfo

            Cheers !!!!
            ;) :) :) :) :) 8)

            @chidgear:

            Okay, I respond partially to myself (this isn't over yet), but if someone gets it useful, here are some progress I did.

            Looking on other forums and internet articles, I found a buddy having a similar trouble, caused by his skype version. Once discarded that their windows and IE version where the problem, one user said:

            What do you see now when you open this link in your Internet Explorer?

            https://apps.skypeassets.com/static/skype.client.l​​​​​​​​​ogin/3.0/3.30/release/login.html

            This gave me an idea… I tried it on a restricted machine and Voila! it showed the IP's I needed in the squid error screen saying that there was a handshake error. I putted the IP's on the bypass and skype worked again. I can log in and out anytime, and send messages without the message saying that cannot be delivered.
            (It could change on time, but until today, these where the IP addresses:

            23.73.247.53
23.2.99.20
23.11.250.157

            all of them provided (in some or another way) from apps.skypeassets.com

            I added these ips, and the FQDN apps.skypeassets.com to the bypass and the login issue was over. Now, there is another issue.
            The files cannot be sent, and I cant see all my contacts in realtime. I guess this is a matter of the skype cloud, so I'll keep digging. If someone wants to help, or has some information about the skype cloud IPs, I'll be gratefull.

            0_0)b Good luck!

            references: Sorry, we couldn't connect to skype. please check …

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.