Hi, Iknow what I'm about to tell you might raise a couple of eye browse but I had no choice in this matter. What I did was keep port 80 open on the firewall to allow skype to do what it wants becuase in this case the client was at a no nogotiation stgae where skype was concerned so looking for an alternative was out of the question. Next I forced all client PC to use Squid as the proxy, got to love GPO, where there are a couple of acls determining who can access the Internet and who can't and it works.....it's not the right way of doing it I know but under the circumstances there was no alternative, luckily the users are quite stupid and they will not know how to change the proxy but if I get that 1 user who has a little savy I'm going to have my hands full. I tested the skype through trying to force it to go through a certain port but had so many comebacks it wasn't funny so the above was the solution. If anyone can give me an alternative to the above mentioned I would be very greatful but keep in mind that looking for a skype alternative is not an option because that is dictated to me. With regards > Janco, > > In theory it can be done with ufdbGuard, a URL filter for Squid. > > Skype uses direct/NAT, HTTP and HTTPS access to get to the outside world. > If you configure Skype to use HTTPS, ufdbGuard can sort of detect > Skype traffic because Skype uses the HTTPS port (443) but not the HTTPS > protocol and this is what ufdbGuard detects. > > Skype also can use the HTTP protocol on port 80 but since it > does not use the HTTP protocol (only the port number) Squid will > not understand Skype's intentions and effectively block it. > > To open the firewall to allow Skype to go out direct/NAT is asking > for trouble. So we can "safely" implement a mechanism that supports > Skype over HTTPS. > ufdbGuard is a filter and it is easy to configure to block the rest of > the internet for a number of PCs. > > However, there is a major security issue, since allowing Skype means > that you allow all applications that use port 443 to go the the internet, > including proxy tunnels (e.g. proxytunnel uses SSH). > > I consider Skype unsafe to use because it uses a undisclosed > ("black box") protocol that is waiting for another virus/worm > to (ab)use and there is no antivirus vendor that can scan > the content of HTTPS. > My advise would be to look for an alternative of Skype. > > -Marcus > > > Janco van der Merwe wrote: >> Hi, >> >> I need to set up Squid with the following: >> >> The network has 36 PCs all with Skype - Business needs >> Skype.....why.....I dont know. >> >> Only 6 of the 36 PCs is allowed to use the internet the rest is not but >> they must be able to access skype. Currently they have a Squid >> configuration with a transparent proxy with no passwords / >> authentication. They do not want authentication brought in because they >> don't want to type passwords. >> >> Can anyone assist me on how to set up Squid with the correct ACLs for >> the above because this is a little bit out of my league and I don't know >> how I am going to allow Skype but no other http traffic. >> >> I'm fine with the setup of the ACL to allow certain computers to the >> Internet but to block all other Internet traffic but Skype that is where >> my bug falls of its cork. >> > >