Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Skype + SSL Interception + Squid in Non Transparent mode

    Scheduled Pinned Locked Moved
    Cache/Proxy
    2
    2
    965
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      do1984
      last edited by

      Hello guys.
      I'm struggling for a few days about this setup. We have pfsense 2.4.4, using SSL Interception and Squid in Non transparent mode (user auth). Skype used to work in the past, but sometime ago We had a problem with our pfsense install and the backup.xml was old, so we had to build the some "rules" again. Since Skype can't be used through proxy anymore (8+ versions) we have to make it pass Squid, so I'd have to whitelist all the addresses it uses to connect. I captured the addressses through the "Real time" menu and whitelisted all addresses. No luck doing that. Direct outgoing to 443 is blocked, and must remain that way (no direct connection allowed, with exceptions).
      Since I'm not using transparent mode I can't just point the Skype addresses to bypass proxy.
      I have captured through tcpdump a list of addresses the workstation tries to connect and created Lan rules allowing all those networks to pass(an alias). But none of that worked and users still can't send messages. Sometimes the warning saying "Finish your Wi-Fi setup" don't show, but users still can't send / receive any messages.
      My Squid Whitelist now:
      client-s.gateway.messenger.live.com
      go.trouter.skype.com
      api.asm.skype.com
      config.edge.skype.com
      api.cc.skype.com
      login.live.com
      consumer.entitlement.skype.com
      msftconnecttest.com
      www.msftconnecttest.com
      onecs-live.azureedge.net
      wsapi.skype.com
      browser.pipe.aria.microsoft.com
      mobile.pipe.aria.microsoft.com
      avatar.skype.com
      edge.skype.com
      people.skype.com
      prod.registrar.skype.com
      trouter-eus2-b.trouter.skype.com
      api.aps.skype.com
      msgsearch.skype.com
      bn2-client-s.gateway.messenger.live.com
      options.skype.com
      api.mcr.skype.com
      static.asm.skype.com
      wdcp.microsoft.com
      wdcpalt.microsoft.com
      login.skype.com
      skype.com
      go.microsoft.com
      activation.sls.microsoft.com
      activation-v2.sls.microsoft.com
      validation.sls.microsoft.com
      validation-v2.sls.microsoft.com
      displaycatalog.mp.microsoft.com
      licensing.mp.microsoft.com
      purchase.mp.microsoft.com
      displaycatalog.md.mp.microsoft.com
      licensing.md.mp.microsoft.com
      purchase.md.mp.microsoft.com
      .microsoft.com
      livecmseastus.cloudapp.net
      .cloudapp.net
      .msn.com.akadns.net
      .aria.akadns.net
      .s-msedge.net

      Does anyone have a tip to make Skype work in this setup? Thanks!

      matyi.szabolcsM 1 Reply Last reply Reply Quote 0
      • matyi.szabolcsM
        matyi.szabolcs @do1984
        last edited by matyi.szabolcs

        Hi @do1984 !

        Thanks for putting the list together. Works great for me!

        if you might need a whatsapp list:

        # whatsapp
.whatsapp.com
.whatsapp.net
web.whatsapp.com
whatsapp.com
c.whatsapp.net
whatsapp

        Regards

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.