Linogate Internet Technologies
   

What is Skype?

Skype is a proprietary voice-over-ip (VoIP) protocol based on peer-to-peer (p2p) technology. It requires a vast number of open ports for communication - a security nightmare. For professional IP telephony you might want to take a look at SIP based solutions instead. SIP is a standardised open VoIP protocol and with DEFENDO's integrated SIP proxy it is easy to set up.

Connection problems when accessing the Skype network through DEFENDO

The Skype protocol requires a lot of ports for communication. All these ports are used within a very short period of time which triggers DEFENDO's portscan protection. Further connections will be dropped temporarily. As the Skype client continues with its connection attempts the problem will persist and the corresponding PC will loose its Internet connectivity. The same problem will occur if Skype is configured to use an HTTP(S) proxy. You will have to use DEFENDO's SOCKS proxy if you need Skype.

Configuration of the DEFENDO SOCKS proxy

First of all it has to be deliberated about whether a userspecific configuration of the SOCKS proxy is prefered or if it is sufficient to identify the Skype clients by IP address and grant access to the whole network or individual workstations.
Global configuration
Global SOCKS rules apply to all users no matter if they authenticate themselves or not. Configure the rules at "Expert -> Proxies -> SOCKS proxy" on tab "Connections".
Userspecific configuration
The userspecific rules will apply after successfull authentication of the corresponding user. Each DEFENDO user who is member of group system-proxy can have his own set of SOCKS rules. Hence the SOCKS rules for Skype have to be added for each individual user who needs to use Skype. Add userspecific rules below "Administration -> Users" by selecting the user and clicking on tab "SOCKS proxy".
Skype requires very liberal SOCKS rules. You need to add rules for both, TCP and UDP. The only restriction you may impose is the source IP. Skype uses no defined port range or servers which could be used to narrow the rules down. So the following rules have to be applied:
  • tcp:IP_OF_SKYPE_CLIENT(*)->*(*)
  • udp:IP_OF_SKYPE_CLIENT(*)->*(*)
The rules can either be applied as userspecific or global rules.
Don't forget to start the SOCKS proxy and configure it for autostart if you didn't do this already.

Configuration of the Skype client

The Skype client has to be configured to use the SOCKS proxy. All settings can be applied below "Actions -> Options -> Connections". Select SOCKS5 as proxy protocol and enter DEFENDO's IP as "Host". The SOCKS proxy listens on port 1080. If you configured the SOCKS rules per user on DEFENDO, you will also have to enable user authentication.
Now you should be able to connect to the Skype network through the SOCKS proxy. As all connections are now tunneled to the SOCKS server there shouldn't be any more portscan related issues.