Skype via squid

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Skype via squid

Heiler Bemerguy

Hi dude,

I've noticed our users are being blocked by a rule which prevents
CONNECTs to IP addresses instead of FQDN.

What puzzles me is WHY skype is trying to connect to IPs even after
connecting to FQDNs.. ? Have anyone noticed this? Any workaround apart
from whitelisting Microsoft IPs...... ???

LOG:

1490189501.442    879 10.32.3.102 TCP_TUNNEL/200 8797 CONNECT
login.live.com:443 - HIER_DIRECT/131.253.61.96 -
1490189502.241    740 10.32.3.102 TCP_TUNNEL/200 6160 CONNECT
login.live.com:443 - HIER_DIRECT/131.253.61.66 -
1490189503.017    741 10.32.3.102 TCP_TUNNEL/200 13808 CONNECT
login.live.com:443 - HIER_DIRECT/131.253.61.66 -
1490189510.193    729 10.32.3.102 TCP_TUNNEL/200 8784 CONNECT
login.live.com:443 - HIER_DIRECT/131.253.61.66 -
1490189511.068    779 10.32.3.102 TCP_TUNNEL/200 6160 CONNECT
login.live.com:443 - HIER_DIRECT/131.253.61.66 -
1490189512.162    763 10.32.3.102 TCP_TUNNEL/200 7376 CONNECT
login.live.com:443 - HIER_DIRECT/131.253.61.66 -
1490189512.216    816 10.32.3.102 TCP_TUNNEL/200 7376 CONNECT
login.live.com:443 - HIER_DIRECT/131.253.61.68 -
1490189517.077      1 10.32.3.102 NONE/503 0 CONNECT 157.55.130.146:443
- HIER_NONE/- -
1490189525.321      1 10.32.3.102 NONE/503 0 CONNECT 64.4.23.160:443 -
HIER_NONE/- -
1490189526.333      1 10.32.3.102 NONE/503 0 CONNECT 111.221.77.165:443
- HIER_NONE/- -
1490189527.345      1 10.32.3.102 NONE/503 0 CONNECT 157.55.130.144:443
- HIER_NONE/- -
1490189528.354      1 10.32.3.102 NONE/503 0 CONNECT 111.221.77.149:443
- HIER_NONE/- -
1490189529.368      1 10.32.3.102 NONE/503 0 CONNECT 157.55.235.164:443
- HIER_NONE/- -
1490189531.375      1 10.32.3.102 NONE/503 0 CONNECT 157.56.52.20:443 -
HIER_NONE/- -
1490189532.385      1 10.32.3.102 NONE/503 0 CONNECT 65.55.223.31:443 -
HIER_NONE/- -
1490189533.393      1 10.32.3.102 NONE/503 0 CONNECT 157.56.52.21:443 -
HIER_NONE/- -


--
Atenciosamente / Best Regards,

Heiler Bemerguy
Network Manager - CINBESA
55 91 98151-4894/3184-1751

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Skype via squid

Amos Jeffries
Administrator
On 23/03/2017 2:44 a.m., Heiler Bemerguy wrote:
>
> Hi dude,
>
> I've noticed our users are being blocked by a rule which prevents
> CONNECTs to IP addresses instead of FQDN.
>
> What puzzles me is WHY skype is trying to connect to IPs even after
> connecting to FQDNs.. ? Have anyone noticed this? Any workaround apart
> from whitelisting Microsoft IPs...... ???

This has always been the case. Skype was originally a P2P application,
since end users normally do not have custom reverse-DNS entries for
personal domain names (and Skype no easy way to reliably find out even
if they do) those usually auto-negotiates its data connections using
raw-IP to bust their way through NAT breakages, then uses the results.

The domain name part at the beginning is a much more recent addition by
MS to use their generic live.co autenticaion APIs, and not actually a
part unique to Skype itself.


That is why the wiki config example combines a regex ACL for matching
raw-IP values in the URL, and the User-Agent header detection.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Loading...