Loading...

Knowledge Center


How to configure McAfee Web Gateway to not scan Skype traffic
Technical Articles ID:   KB89194
Last Modified:  12/20/2018

Environment

McAfee Web Gateway (MWG) 7.x

Problem

Web Gateway can scan Skype traffic using the SSL Scanner, as it respects the Windows certificate store.

This means MWG can open the SSL traffic, but will usually destroy the data therein because MWG does not offer any filter that can understand the proprietary Skype protocols.

Skype uses XML, STP, UDP and TCP. It is not a web protocol, but a peer-to-peer protocol that McAfee Web Gateway does not handle.

With these points in mind, how can I configure MWG to not scan Skype traffic?

Solution

Skype application:

To inspect the Skype application traffic, McAfee recommends you configure an additional HTTP proxy port in the McAfee Web Gateway:
  1. Open the MWG manager.
  2. Select ConfigurationAppliancesProxies (HTTP(S), FTP, SOCKS, ICAP, ...).
  3. In the HTTP port definition list, configure the new HTTP Proxy with the following settings:
    • Listener address: 0.0.0.0:9191
    • For Serve transparent SSL connection set as True
    • For Ports rated as SSL enter 443
    • For Transparent common name handling set as False
       
  4. Exclude this proxy port from the SSL Scanner by adding the criteria:
     Proxy.Port does not equal 9191 to the SSL Scanner rule set.
     
  5. Configure Skype to use this port. 

Skype browser plugin
The browser plugin will use the default client settings. The browser plugin cannot be configured to use a different proxy port.
It is not possible to handle such connections in MWG and intercept them with the SSL scanner. Microsoft does not provide a list of IP or hosts that could be bypassed by MWG.


Skype for Business (previously Lync)
This version of Skype will also use the Operating System proxy settings and has no individual settings. Microsoft provided a list of hosts and McAfee implemented a McAfee-maintained list, which can be imported for bypassing such traffic from being intercepted:
  1. Open the MWG manager.
  2. Select Policy, Lists, Subscripted Lists and click the green Add button.
  3. Add the Lync Online IPv4 addresses:
    1. Add Name Lync Online IPv4 addresses.
    2. Select List is managed remotely.
    3. Select McAfee Maintained List from the Source and click Choose.
    4. Search for Lync Online in the list content and add Lync Online IPv4 addresses.
    5. Click OK.
       
  4. Add the Lync Online IPv6 addresses:
    1. Add Name Lync Online IPv6 addresses.
    2. Select List is managed remotely.
    3. Select McAfee Maintained List from the Source and click Choose.
    4. Search for Lync Online in the list content and add Lync Online IPv6 addresses.
    5. Click OK.
       
  5.  Add the Lync Online URLs:
    1. Add Name Lync Online URLs.
    2. Select List is managed remotely.
    3. Select McAfee Maintained List from the Source and click Choose.
    4. Search for Lync Online in the list content and add Lync Online URLs.
    5. Click OK.

       
  6. Go to Policy, Rule Sets, Rule Sets and create a bypass based on the newly added lists.
  7. Add a new Top level rule above the SSL Scanner rule set and choose a name like Bypass Skype for Business.
  8. Configure the new rule as follows:
    • For Action select: Stop Cycle
    • For Rule Criteria enter: URL.Host matches in list Lync Online URLs OR URL.Destination.IP is in range list Lync Online IPv4 addresses OR URL.Destination.IP is in range list Lync Online IPv6 addresses
       
  9. Apply the changes.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.