Controlling access to Skype with the ProxySG

<< Back to Knowledge Search



How do  I control user access to Skype?
I would like to implement user-based access to Skype
What is the best way to block / prevent Skype?


Using explicit Proxy deployment: 

The following was tested using Skype 4.2.x.  Please note that the Skype protocol and application behavior may change at any time.

1. On the firewall, block all outbound traffic except proxy traffic (this is what most explicit proxy deployments should have)

2. Step 1 will force Skype to use the proxy settings taken from Internet Explorer (IE) since it cannot reach other Skype nodes directly.

3. On the ProxySG install the following CPL into a CPL layer in VPM, or into the local policy file.  For information on how to add CPL to the local policy file, please see 000010101.  The local CPL to use should read:




    DENY http.method=CONNECT url.regex="[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}"


Alternatively, the below accomplishes the same:



    DENY http.method=CONNECT


Explanation of Code:

The first rule simply blocks any host containing "skype" and forces Skype to go over port 443. The second rule states "block any CONNECT request made directly to an IP instead of a URL (FQDN)"

Skype, when it can't connect directly, will fall back to the proxy and will try encrypt connections and try to contact "super nodes", which are usually IP addresses stored in a file in the Skype folder. But when observing normal user traffic, 99% of the time never this traffic never connects directly to an IP. That is to say you almost never see "CONNECT". Instead usually what is observed is "CONNECT" for example.

With the above CPL code in place, Skype will open but never connect. Almost all other traffic is untouched.

 The CPL rules can also be made to apply on certain users and groups only, while allowing access to others



1. This method could change at any time because of the closed source nature of Skype.

2. This method may have collateral damage on other applications. There may be some enterprise environments with custom built applications that may run into issues, or some forms of IM may break. However, please note that it is a lot easier to make exceptions for these because, unlike Skype, they are not peer-to-peer in nature so the destination IPs are easily obtained and added to a whitelist.

3. Transparently deployed proxies will not be able to use the above method. In transparent proxy the HTTP CONNECT method is not used. SSL interception must be enabled in order to decrypt the encrypted traffic. However, because Skype does not use valid SSL traffic, the proxy will "break" the connection Skype is attempting, resulting in loss of connectivity across all the network. In essence, it is not possible to control Skype in transparent mode, the application must be set to explicit proxy mode.

Lastly, please note further tweaking of the policy may be necessary to avoid false positives (i.e. the policy blocking other applications apart from Skype)





Additional Information
Bug Number
InQuira Doc IdKB4059

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5, SGOS 6
Topic      Policy Management, Services
Article Number      000008773
Was this helpful?
Previous MonthNext Month