On 23/03/2017 2:44 a.m., Heiler Bemerguy wrote:
> Hi dude,
> I've noticed our users are being blocked by a rule which prevents
> CONNECTs to IP addresses instead of FQDN.
> What puzzles me is WHY skype is trying to connect to IPs even after
> connecting to FQDNs.. ? Have anyone noticed this? Any workaround apart
> from whitelisting Microsoft IPs...... ???
This has always been the case. Skype was originally a P2P application,
since end users normally do not have custom reverse-DNS entries for
personal domain names (and Skype no easy way to reliably find out even
if they do) those usually auto-negotiates its data connections using
raw-IP to bust their way through NAT breakages, then uses the results.
The domain name part at the beginning is a much more recent addition by
MS to use their generic live.co autenticaion APIs, and not actually a
part unique to Skype itself.
That is why the wiki config example combines a regex ACL for matching
raw-IP values in the URL, and the User-Agent header detection.