Skype not working



  • Hello Everyone

    can anyone help me as i have pfsense 2.2.6 with squid3 and squid guard ,And skype is not working with me totally…although i did allow all the ips for skype in the whitelist  >



  • Skype uses lots of different ports, have you checked whether your firewall is allowing all needed traffic? Check your firewall log and/or see following url for client ports: https://technet.microsoft.com/en-us/library/gg398833.aspx

    Also have you tried disabling squid and squidguard to see whether you are able to use skype.

    It's possible that squidguard is blocking access to url's consisting of ip numbers, could be how skype is building some connections to the outside, I for instance had to disable this function to get my ISP's IPTV working and Netflix, you can find the option on the "Common ACL" page of squidguard, the option is called "Do not allow IP-Addresses in URL", and should be unchecked.



  • Hi!
    Currently, I'm dealing with this issue on my enviroment, so I want to help.
    Are you using Transparent proxy? SSL/HTTPS filtering?
    if so, maybe you are using the certificate method in which case, addind the i'ps to the white list is useless. Skype have some issues with the certificates which must be validated by the user but, as there are no interface to do this, the connection never gets done.
    In this case, what I'm doing is bypass the IP's from the proxy so they can go directly to the firewall.
    I'm using IP ranges that belongs to the addresses:
    web.skype.com
    www.skype.com
    login.skype.com
    secure.skype.com
    skypeassets.com
    and some DNS i found looking on the internet.

    Until now I'm able to login, display contacts, and chat.
    I'm having trouble with image and file sharing (I'll use wireshark to obtain the ip's) and have not tested calls and videocalls.

    If I got something else, I'll have you know.

    Regards



  • yes unfortunately i have squid and squidguard in transparent mode (i wish i could find a solution to make it work in non-transparent mode but didn't get help by that )
    although idid whitelist most of skype dns in squid
    allow bypass proxy to destinations all of those ip's
    create an target category to allow skype dns destinations in squid guard

    but all of that didn't work and once i shut squid and squid guard off skype is working normally



  • Good, you've established that skype is working when you disable squid+squidguard, so we can rule out the firewall and squid+squidguard are now the main focus.

    Some services don't work well with squid, for instance with my IPTV service, url's were accessed ip based instead of hostname based so I had to uncheck the "Do not allow IP-Addresses in URL" option in squidguard on the "Common ACL" page, however I also had to configure a bypass proxy for these ip addresses to get it working, I my instance I had to configure a whole network range from which the IPTV was broadcasting x.x.0.0/16

    The proper way to find out which ip or url's are being used by skype is to look at the squid access logs, you can find it by going to the squid proxy service and opening the "Real time" page it's the log on top of the page.

    Try connecting using skype and you should see the ip's and/or url's logged there, these either need to be whitelisted in squidguard or if ip based you should configure these ip addresses to the bypass proxy list, you can find it on the squid proxy service general page it's called "Bypass Proxy for These Destination IPs".



  • thanks alot for your help , i fixed skype by manage the certificate through internet explorer.However ,the whitelisted or by pass through proxy ips are not working with squid and squid guard



  • Indeed Skype definitely doesn't fit with environments based on HTTP proxy.
    This is even worst than this : despite what you may think, configuring through GUI Skype to rely on proxy doesn't work. Proxy will only be invoked if direct connection doesn't work. And even with this, it only partially works.

    Skype also requires to open huge number of ports  :o

    Definitely not firewall-friendly  :'(



  • Hi. I finaly managed to successfully use skype while Squid3 & Squidguard are enabled in thransparent mode with ssl bumping, I used two alias, one for the hosts ,and another for the networks (IP addresses in CIDR format) then, I've put both aliases on the bypass.

    If it helps anyone, here are them.
    HOSTS:

    apps.skypeassets.com
    login.skype.com
    pipe.skype.com
    secure.skype.com
    config.skype.com
    api.skype.com
    ui.skype.com
    s.gateway.messenger.live.com
    get.skype.com
    dsn13.d.skype.net
    mobile.pipe.aria.microsoft.com
    a.config.skype.com
    www.skypeassets.com
    dr.skype.net
    apps.skype.com
    api.asm.skype.com
    

    Networks:

    64.0.0.0/7
    189.192.132.0/22
    156.154.144.0/20
    23.212.40.0/22
    104.208.28.0/22
    168.61.164.0/22
    91.190.216.0/22
    40.76.24.0/22
    23.211.236.0/22
    23.11.250.0/22
    23.2.96.0/22
    23.73.244.0/22
    91.190.216.0/22
    157.56.196.0/22
    104.42.8.0/22
    191.234.40.0/22
    23.213.88.0/22
    40.76.208.0/22
    168.61.176.0/22
    13.107.0.0/22
    23.213.88.0/22
    

    Regards!  ;D



  • @chidgear:

    Hi. I finaly managed to successfully use skype while Squid3 & Squidguard are enabled in thransparent mode with ssl bumping, I used two alias, one for the hosts ,and another for the networks (IP addresses in CIDR format) then, I've put both aliases on the bypass.

    If it helps anyone, here are them.
    HOSTS:

    apps.skypeassets.com
    login.skype.com
    pipe.skype.com
    secure.skype.com
    config.skype.com
    api.skype.com
    ui.skype.com
    s.gateway.messenger.live.com
    get.skype.com
    dsn13.d.skype.net
    mobile.pipe.aria.microsoft.com
    a.config.skype.com
    www.skypeassets.com
    dr.skype.net
    apps.skype.com
    api.asm.skype.com
    

    Networks:

    64.0.0.0/7
    189.192.132.0/22
    156.154.144.0/20
    23.212.40.0/22
    104.208.28.0/22
    168.61.164.0/22
    91.190.216.0/22
    40.76.24.0/22
    23.211.236.0/22
    23.11.250.0/22
    23.2.96.0/22
    23.73.244.0/22
    91.190.216.0/22
    157.56.196.0/22
    104.42.8.0/22
    191.234.40.0/22
    23.213.88.0/22
    40.76.208.0/22
    168.61.176.0/22
    13.107.0.0/22
    23.213.88.0/22
    

    Regards!  ;D

    You added 2 rules in firewall aliases or in Squid whitelist? help me pls  :'(



  • As you can see, there are a lot of addresses, so, to make this simple, I've created 2 aliases, One has hosts and the other has nets (IE: "SkypeHost" alias for hosts and "SkypeNet" alias for nets). This is not mandatory, but helps A LOT.
    Then I put the aliases names ("SkypeHost" and "SkypeNet") in the "proxy bypass" field. This can be found under "Services" -> "Squid Proxy Server" -> "General" tab -> "Transparent Proxy Settings" section. There you will see 2 fields "Bypass Proxy for These Source IPs" and "Bypass Proxy for These Destination IPs"

    The aliases names goes in the 2nd field ("Bypass Proxy for These Destination IPs") separated by semicolons, do not put spaces or extra characters. also copy&paste the aliases names, as far as I know, this is case sensitive.

    SkypeHost;SkypeNet
    

    Once done this, save and apply.

    The changes will take effect immediately, but skype may not recognice it. In order to be sure, close skype (if it's open) and open again. Now you may have no trouble  ;D

    PS: If your facebook contacts aren't displayed or updated is because I didn't added the facebook IPs to the list, since facebook is forbidden on my work enviroment.

    On this case, if you want to use facebook with skype too, you need to open the facebook addresses too.

    Greetings and good luck!



  • How about group conversations in Skype? Does that works too for your setup?



  • Thanks  Chidgear i have already solved my problem with skype through squid. I've never thought that i could just bypass skype. I've been trying to solve this problem for 2 days already. THANKS!! ;D ;D



  • Hi sherwinluissss,

    I configured pfsense 2.3.2 + squid (transparent with ssl inspection enabled)+ squidGuard. I have couple of issues skype is one of those. call are going fine but it is showing internet issue and not showing user as online it is keep trying to do get the status. can you please let me know how you solved your skype issue with squid. what are the hosts needs to be allowed i allowed skype.com live.com hotmail.com these three are using by skype atthe time of login. could you please help me how to fix this. My second problem is with multiple sip phones trying to connect one external pbx. no voice on incomming calls and no in and outbound voice ext to ext.

    Thanks in advance.
    Harry


Log in to reply