Janco, Your solution made me think about an alternative... Why don't you try this: setup an extra SOCKS proxy that listens to port 1080 only and configure this proxy to do authentication. Then configure Skype to use the SOCKS proxy and you as sysadmin type the username/password, hence users are not able to use the SOCKS proxy with a browser since they don't know the password. Then you can configure the normal proxy to block Skype with ufdbGuard and block internet for 36-6 PCs. -Marcus PS: never underestimate users, most of them are able to type "I am blocked" in Google. janco@xxxxxxxxxxxxxxxxxxx wrote:
Hi, Iknow what I'm about to tell you might raise a couple of eye browse but I had no choice in this matter. What I did was keep port 80 open on the firewall to allow skype to do what it wants becuase in this case the client was at a no nogotiation stgae where skype was concerned so looking for an alternative was out of the question. Next I forced all client PC to use Squid as the proxy, got to love GPO, where there are a couple of acls determining who can access the Internet and who can't and it works.....it's not the right way of doing it I know but under the circumstances there was no alternative, luckily the users are quite stupid and they will not know how to change the proxy but if I get that 1 user who has a little savy I'm going to have my hands full. I tested the skype through trying to force it to go through a certain port but had so many comebacks it wasn't funny so the above was the solution. If anyone can give me an alternative to the above mentioned I would be very greatful but keep in mind that looking for a skype alternative is not an option because that is dictated to me. With regardsJanco, In theory it can be done with ufdbGuard, a URL filter for Squid. Skype uses direct/NAT, HTTP and HTTPS access to get to the outside world. If you configure Skype to use HTTPS, ufdbGuard can sort of detect Skype traffic because Skype uses the HTTPS port (443) but not the HTTPS protocol and this is what ufdbGuard detects. Skype also can use the HTTP protocol on port 80 but since it does not use the HTTP protocol (only the port number) Squid will not understand Skype's intentions and effectively block it. To open the firewall to allow Skype to go out direct/NAT is asking for trouble. So we can "safely" implement a mechanism that supports Skype over HTTPS. ufdbGuard is a filter and it is easy to configure to block the rest of the internet for a number of PCs. However, there is a major security issue, since allowing Skype means that you allow all applications that use port 443 to go the the internet, including proxy tunnels (e.g. proxytunnel uses SSH). I consider Skype unsafe to use because it uses a undisclosed ("black box") protocol that is waiting for another virus/worm to (ab)use and there is no antivirus vendor that can scan the content of HTTPS. My advise would be to look for an alternative of Skype. -Marcus Janco van der Merwe wrote:Hi, I need to set up Squid with the following: The network has 36 PCs all with Skype - Business needs Skype.....why.....I dont know. Only 6 of the 36 PCs is allowed to use the internet the rest is not but they must be able to access skype. Currently they have a Squid configuration with a transparent proxy with no passwords / authentication. They do not want authentication brought in because they don't want to type passwords. Can anyone assist me on how to set up Squid with the correct ACLs for the above because this is a little bit out of my league and I don't know how I am going to allow Skype but no other http traffic. I'm fine with the setup of the ACL to allow certain computers to the Internet but to block all other Internet traffic but Skype that is where my bug falls of its cork.
