Hello, I get tired of the topic already two days and I have no power, so please help ... I did install squid3 (v3.1.19) integrated with AD (according http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy). Allowing only users who belong to the Admin-Internet. Everything is ok for browsers and Kerberos, NTLM, LDAP even. Only I have a problem with Skype - in access.log I see: 1380113279.753 0 10.22.88.22 TCP_DENIED/407 3811 CONNECT 157.56.123.82:443 - NONE / - text / html; 1380113279.794 0 10.22.88.22 TCP_DENIED/407 3866 CONNECT 157.56.123.82:443 - NONE / - text / html; 1 1380113281.723 3766 10.22.15.104 TCP_DENIED/407 CONNECT 91.190.216.54:443 - NONE / - text / html; I tried to correct it as http://wiki.squid-cache.org/ConfigExamples/Chat/Skype and other variations, but nothing helps. If Skype does not support any of the above authorization, I have tried to allow the unauthorized movement in a similar way to access the pages: http_access allow localnet GlobalAllowedSites but it also fails ... (http_access allow numeric_IPs Skype_UA, CONNECT http_access allow numeric_IPs Skype_UA). What am I doing wrong? How to solve it? p.s: my squid.conf: auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN --kerberos /usr/lib/squid3/squid_kerb_auth -d -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=DOMAIN auth_param ntlm children 10 auth_param ntlm keep_alive off auth_param basic program /usr/lib/squid3/squid_ldap_auth -R -b "dc=DOMAIN,dc=pl" -D squid@xxxxxxxxx -w PASSw0rd -f sAMAccountName=%s -h dc02.DOMAIN.pl auth_param basic children 10 auth_param basic realm Internet Proxy auth_param basic credentialsttl 1 minute url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -b "dc=DOMAIN,dc=pl" -D squid@xxxxxxxxx -w PASSw0rd -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Admin-Internet, ou=it,dc=DOMAIN,dc=pl))" -h dc02.DOMAIN.pl acl localnet src 10.22.0.0/16 acl auth proxy_auth REQUIRED acl InternetAccess external memberof Admin-Internet acl GlobalAllowedSites dstdomain "/etc/squid3/GlobalAllowedSites.txt" acl BlockedSites dstdomain "/etc/squid3/BlockedSites.txt" acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgm acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl numeric_IPs dstdom_regex ^(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)|(\[([0-9af]+)?:([0-9af:]+)?:([0-9af]+)?\])):443 acl Skype_UA browser ^skype http_access allow CONNECT numeric_IPS localnet http_access allow numeric_IPS localnet http_access allow Skype_UA http_access allow manager localnet http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow GlobalAllowedSites localnet http_access deny BlockedSites http_access deny !auth http_access allow InternetAccess auth localnet http_access deny all access_log /var/log/squid3/access.log squid !GlobalAllowedSites http_port 10.22.94.130:8080 hierarchy_stoplist cgi-bin ? cache_dir aufs /media/squidcache 10000 16 256 coredump_dir /var/spool/squid3 cache_peer 10.22.94.130 parent 8081 0 no-query no-digest default never_direct allow all refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user proxy cache_effective_group proxy Thanks for help Kazio
