How can I control Skype with WebMarshal?


This article applies to:

  • WebMarshal 6.1 and above
  • Skype

Question:

  • I want to use WebMarshal policy to control Skype.

Information:

To control Skype with WebMarshal, consider the following items:

  1. Use WebMarshal as a standalone proxy (not ISA plug-in)
  2. Restrict Skype native protocol ports at your firewall
  3. Enable WebMarshal HTTPS Content Inspection
  4. Enable the WebMarshal setting "Allow unidentified software to create tunnels"
  5. In WebMarshal HTTPS Rules, block use of invalid certificates when you want to block Skype.

Note: If you want to allow all Skype connections, see Trustwave Knowledgebase article Q12084: How can I allow all Skype connections when WebMarshal is installed?

1. Skype native ports

Like many Instant Message applications, Skype attempts to connect through its own protocol first, and then falls back on HTTPS.

Skype uses the following ports:

  • TCP 1024 to 65536 Outbound
  • UDP 1024 to 65536 Outbound
  • UDP (Port defined during Skype Install) Inbound

To control Skype with WebMarshal, you must ensure that the TCP and UDP access to these ports is blocked and that WebMarshal is the only available HTTPS route.

2. HTTPS Content Inspection

To control Skype HTTPS connections, enable WebMarshal HTTPS Content Inspection. This step allows you to check the HTTPS negotiation used by Skype.

2. Allow unidentified software

Skype does not provide a User Agent header. To allow Skype connections through WebMarshal, enable the setting "Allow unidentified software to create tunnels" (found in the WebMarshal Proxy Wizard).

3. WebMarshal Rules - Block where SSL/TLS could not be negotiated

When connecting through WebMarshal with HTTPS inspection, Skype SSL negotiation fails.

If you are using WebMarshal HTTPS Content Inspection, to allow or deny Skype for individual users or workstations, you can apply the WebMarshal HTTPS rule condition "Where SSL/TLS could not be negotiated."

Create a rule similar to the following:

When a web request is received
For any users
   Except where the user is a member of Allow Skype
And where addressed to any URL
And where SSL/TLS could not be negotiated

Block access to this site and display Blocked page
And do not process any further HTTPS rules

Place this rule at the top of the HTTPS Rules.

Notes:

This method potentially allows other content to pass uninspected for the allowed users, but a specially crafted application and server would most likely be required.

These instructions have been updated and validated at the time this article was written. If Skype behavior changes the required steps could change.

If you upgraded from WebMarshal 6.0 to 6.1 or above, is some cases you may find additional connections are unexpectedly blocked. For details, see Trustwave Knowledgebase article Q12083.

Last Modified 8/3/2009.
https://support.trustwave.com/kb/KnowledgebaseArticle11389.aspx