Skip to main content
billp
billp
New Member
October 9, 2014
Solved

Skype doesn' t work with SSL/SSH Inspection selected

  • October 9, 2014
  • 8 replies
  • 61482 views
I have a 600C running 5.0.7. Skype is an allowed/monitored app in the Application Control policy. Ports 80 and 443 are allowed. SSL inspection is enabled on port 443 so we can inspect certificates, but deep scanning is not selected for websites. If port 443 is selected for inspection, however, the Skype app cannot login. If it is deselected, then Skype will run. I saw an earlier post with a similar complaint, but there was no resolution. Has anyone else had problems running Skype with certificate inspection? I need to find a way to run Skype while still scanning other SSL certificates, so any suggestions would be welcome. Thanks.
    Best answer by billp
    I' m replying to my own post in case anyone else finds this useful. I have an open ticket with FTNT on this issue. I have a workaround in place for now by whitelisting all the IP' s associated with Skype logins. There appears to be a Skype login problem (at least with my config) if SSL certificate inspection is turned on. These Skype IPs can be found by running this BASH script: 
      #!/bin/bash  for i in {0..20} ; do dig +short dsn$i.skype-dsn.akadns.net; done | sort | uniq
    If you don' t want to enter all 107 unique Skype addresses into the firewall, you can come close by using these class C' s: 111.221.74.0/24 111.221.77.0/24 157.55.130.0/24 157.55.235.0/24 157.55.56.0/24 157.56.52.0/24 213.199.179.0/24 64.4.23.0/24 65.55.223.0/24 (Credit to http://pingtool.org/block-skype-connection/ for the script and address info.) Just put them as destination addresses in a separate policy that does not have SSL inspection turned on. I realize these are static addresses and that Skype addresses are potentially dynamic. However, the above addresses have been stable for at least the last year or two. For me, that' s good enough for a temporary work-around.

    8 replies

    billp
    billpAuthorAnswer
    New Member
    October 15, 2014
    I' m replying to my own post in case anyone else finds this useful. I have an open ticket with FTNT on this issue. I have a workaround in place for now by whitelisting all the IP' s associated with Skype logins. There appears to be a Skype login problem (at least with my config) if SSL certificate inspection is turned on. These Skype IPs can be found by running this BASH script: 
      #!/bin/bash  for i in {0..20} ; do dig +short dsn$i.skype-dsn.akadns.net; done | sort | uniq
    If you don' t want to enter all 107 unique Skype addresses into the firewall, you can come close by using these class C' s: 111.221.74.0/24 111.221.77.0/24 157.55.130.0/24 157.55.235.0/24 157.55.56.0/24 157.56.52.0/24 213.199.179.0/24 64.4.23.0/24 65.55.223.0/24 (Credit to http://pingtool.org/block-skype-connection/ for the script and address info.) Just put them as destination addresses in a separate policy that does not have SSL inspection turned on. I realize these are static addresses and that Skype addresses are potentially dynamic. However, the above addresses have been stable for at least the last year or two. For me, that' s good enough for a temporary work-around.
    vanc
    vanc
    New Member
    October 18, 2014
    Skype works for me in FOS 5.2.1 with deep scan enabled. In 5.2, when you use all flow based UTM profiles, the SSL deep scan is done by the same flow engine. It' s much faster and reliable because the SSL traffic is scanned on the fly.
    lightmoon1992
    lightmoon1992
    New Member
    November 3, 2014

    Hi Vanc,

     

    In 5.2, you have new option under SSL inspection called SSL certificate inspection besides the legacy Full SSL inspection. Skype will not work under Full inspection as it really performs the man in the middle, where in SSL certificate inspection, it will only inspect the certificate itself

     

    Thanks,

    Mohammad

    billp
    billpAuthor
    New Member
    November 3, 2014

    I've been in a dialog with tech support on this issue. 

     

    There are some issues with scanning SSL connections using a proxy connection. If you switch to using flow mode for your scanning, Skype will work. This is for 5.0.7, but I imagine this works for 5.2 as well.

     

    You can also turn off port 443 scanning in 5.0.7, and it should default to certificate scanning at that point.

     

    Ultimately, there will be changes coming down to 5.4 and beyond that will address some of these issues. We need a function to whitelist an app (like Skype), and I believe this is in the works. 

    vanc
    vanc
    New Member
    January 27, 2015

    With my FGT 100D doing full SSL deep inspection, I can run Skype 7.2 on Mac OS 10.9. But Skype Home doesn't work. Chat still works.

    Baboda
    Baboda
    New Member
    February 2, 2015

    Got the same problem here with 5.0.7.

     

    Did you get any answer from support ?

    pcraponi
    pcraponi
    New Member
    February 3, 2015

    marmellata72 wrote:

    Got the same problem here with 5.0.7.

     

    Did you get any answer from support ?

     

    You need "Except" Skype from SSL Inspection.... follow this KB:

     

    http://kb.fortinet.com/kb...ateId=0%200%2067412966

    Baboda
    Baboda
    New Member
    February 27, 2015

    Followed KB  http://kb.fortinet.com/kb...ateId=0%200%2067412966

     

    It works now thanks.. but still can't send images

    scerazy
    scerazy
    Visitor III
    March 10, 2015

    I only have SSL Certificate Inspection in 5.2 and can not get Skype 7.2 connecting for a user that does have access to ports 80/443

     

    Seb

    ikoimecs
    ikoimecs
    New Member
    December 15, 2016

    Hi, The 5.2 and 5.4 versions already have exempts for microsoft and skype in the default SSL inspection profile, but the address *.messenger.live.com for skype seems to be outdated. Please try following: 1. Create additional Wildcard FQDN addresses: *.skype.com *.skype.net

    *.trouter.io 2. Add these addresses to the exempt address list of your SSL inspection profile along with existing 'skype', 'live.com' and 'microsoft' 3. Assign this SSL inspection profile to your policy It works for me on v5.4.2

     

    Microsoft may change IPs and DNS names, so if this happen again, open a Wireshark, set filter to 'dns' and monitor DNS requests, then add new wildcards to your exempt list.

    Best regards, Ivo

    ahelal
    ahelal
    New Member
    February 9, 2017

    Hello Again

    i tried the web.skype.com; it works perfect every time.

     

    so there is something with the application and the SSL/SSH Inspection.

    if anyone know how to fix it. please help.

    thanks

     

     

     

    hawada
    hawada
    New Member
    April 25, 2018

    Hello Guys,

     

    I know that this is an old thread, but I faced the same issue when applying deep packet inspection since Skype for business requires a certificate signed by a Known Certificate Authority Entity and the below link solved my issue:

    http://kb.fortinet.com/kb/documentLink.do?externalID=FD37470

     

    Hope it help.

    Regards,

     

     

    Terms & ConditionsAccessibility statement