> I wonder how to get it working well too... > > Skype's problems: > > 1.) It tries NAT for too long before falling to proxy (and there's no > way, as I know, to block the use of NAT). > 2.) Skype uses ANY ports and MANY IPs (as far as I know, as far as my > sniffing is right) > 3.) There's really no official Skype documented support for our cause. > > So... I just wonder what should be done to achieve this!? > > > - Mauricio > > Janco van der Merwe wrote: >> Hi, >> >> I need to set up Squid with the following: >> >> The network has 36 PCs all with Skype - Business needs >> Skype.....why.....I dont know. >> >> Only 6 of the 36 PCs is allowed to use the internet the rest is not but >> they must be able to access skype. Currently they have a Squid >> configuration with a transparent proxy with no passwords / >> authentication. They do not want authentication brought in because they >> don't want to type passwords. >> >> Can anyone assist me on how to set up Squid with the correct ACLs for >> the above because this is a little bit out of my league and I don't know >> how I am going to allow Skype but no other http traffic. >> >> I'm fine with the setup of the ACL to allow certain computers to the >> Internet but to block all other Internet traffic but Skype that is where >> my bug falls of its cork. >> AFAICS, Skype requires CONNECT privilege and uses "CONNECT a.b.c.d:p " to connect out via proxy. You will need to kill any ACL configured to prevent CONNECT from internal to external IP. Yes it opens a large loophole for internal infections to get out. This can be reduced somewhat by still preventing CONNECT by IP to under-1024 ports that are known for abuse, ie 21, 22, 25, 135-139, 445, 80, etc (if you are lucky you may know a few standard ports skype tries CONNECT's to first and allow those) Amos
