• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Skype + SSL Interception + Squid in Non Transparent mode

Scheduled Pinned Locked Moved Cache/Proxy
2 Posts 2 Posters 1.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    do1984
    last edited by Mar 29, 2019, 10:46 AM

    Hello guys.
    I'm struggling for a few days about this setup. We have pfsense 2.4.4, using SSL Interception and Squid in Non transparent mode (user auth). Skype used to work in the past, but sometime ago We had a problem with our pfsense install and the backup.xml was old, so we had to build the some "rules" again. Since Skype can't be used through proxy anymore (8+ versions) we have to make it pass Squid, so I'd have to whitelist all the addresses it uses to connect. I captured the addressses through the "Real time" menu and whitelisted all addresses. No luck doing that. Direct outgoing to 443 is blocked, and must remain that way (no direct connection allowed, with exceptions).
    Since I'm not using transparent mode I can't just point the Skype addresses to bypass proxy.
    I have captured through tcpdump a list of addresses the workstation tries to connect and created Lan rules allowing all those networks to pass(an alias). But none of that worked and users still can't send messages. Sometimes the warning saying "Finish your Wi-Fi setup" don't show, but users still can't send / receive any messages.
    My Squid Whitelist now:
    client-s.gateway.messenger.live.com
    go.trouter.skype.com
    api.asm.skype.com
    config.edge.skype.com
    api.cc.skype.com
    login.live.com
    consumer.entitlement.skype.com
    msftconnecttest.com
    www.msftconnecttest.com
    onecs-live.azureedge.net
    wsapi.skype.com
    browser.pipe.aria.microsoft.com
    mobile.pipe.aria.microsoft.com
    avatar.skype.com
    edge.skype.com
    people.skype.com
    prod.registrar.skype.com
    trouter-eus2-b.trouter.skype.com
    api.aps.skype.com
    msgsearch.skype.com
    bn2-client-s.gateway.messenger.live.com
    options.skype.com
    api.mcr.skype.com
    static.asm.skype.com
    wdcp.microsoft.com
    wdcpalt.microsoft.com
    login.skype.com
    skype.com
    go.microsoft.com
    activation.sls.microsoft.com
    activation-v2.sls.microsoft.com
    validation.sls.microsoft.com
    validation-v2.sls.microsoft.com
    displaycatalog.mp.microsoft.com
    licensing.mp.microsoft.com
    purchase.mp.microsoft.com
    displaycatalog.md.mp.microsoft.com
    licensing.md.mp.microsoft.com
    purchase.md.mp.microsoft.com
    .microsoft.com
    livecmseastus.cloudapp.net
    .cloudapp.net
    .msn.com.akadns.net
    .aria.akadns.net
    .s-msedge.net

    Does anyone have a tip to make Skype work in this setup? Thanks!

    M 1 Reply Last reply Jan 8, 2022, 8:09 PM Reply Quote 0
    • M
      matyi.szabolcs @do1984
      last edited by matyi.szabolcs Jan 8, 2022, 8:29 PM Jan 8, 2022, 8:09 PM

      Hi @do1984 !

      Thanks for putting the list together. Works great for me!

      if you might need a whatsapp list:

      # whatsapp
.whatsapp.com
.whatsapp.net
web.whatsapp.com
whatsapp.com
c.whatsapp.net
whatsapp

      Regards

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        [[user:consent.lead]]
        [[user:consent.not_received]]