NOTE: To exclude Microsoft Teams, configure a normal policy allow list to exclude traffic from scanning.
Also, the subscription list that we offer in the Office 365 rule set covers Microsoft Teams exactly like Skype for Business or Lync.
If you enable a bypass in the Skype for Business/Lync rule set, it covers Team voice traffic as well.
Skype application:
To inspect the Skype application traffic, we recommend that you configure another HTTP proxy port in WG:
- Open the WG manager.
- Select Configuration, Appliances, Proxies (HTTP(S), FTP, SOCKS, ICAP, ...).
- In the HTTP port definition list, configure the new HTTP Proxy with the following settings:
- Listener address: 0.0.0.0:9191
- For Serve transparent SSL connection, set as True
- For Ports rated as SSL, enter 443
- For Transparent common name handling, set as False
- Exclude this proxy port from the SSL Scanner. Add the following criteria to the SSL Scanner rule set:
Proxy.Port does not equal 9191
- Configure Skype to use this port.
Skype browser plug-in
The browser plug-in uses the default client settings. The browser plug-in can't be configured to use a different proxy port. It isn't possible to handle such connections in WG and intercept them with the SSL scanner. Microsoft doesn't provide a list of IPs or hosts that WG can bypass.
Skype for Business (previously Lync)
This version of Skype also uses the Operating System proxy settings and has no individual settings. Microsoft provides a list of hosts and we implement a McAfee-maintained list. The list can be imported so that such traffic is bypassed from being intercepted:
- Open the WG manager.
- Select Policy, Lists, Subscripted Lists and click Add.
- Add the Lync Online IPv4 addresses:
- Add Name Lync Online IPv4 addresses.
- Select List is managed remotely.
- Select McAfee Maintained List from the Source and click Choose.
- Search for Lync Online in the list content and add Lync Online IPv4 addresses.
- Click OK.
- Add the Lync Online IPv6 addresses:
- Add Name Lync Online IPv6 addresses.
- Select List is managed remotely.
- Select McAfee Maintained List from the Source and click Choose.
- Search for Lync Online in the list content and add Lync Online IPv6 addresses.
- Click OK.
- Add the Lync Online URLs:
- Add Name Lync Online URLs.
- Select List is managed remotely.
- Select McAfee Maintained List from the Source and click Choose.
- Search for Lync Online in the list content and add Lync Online URLs.
- Click OK.
- Go to Policy, Rule Sets, Rule Sets and create a bypass based on the newly added lists.
- Add a new top-level rule above the SSL Scanner rule set and choose a name like Bypass Skype for Business.
- Configure the new rule as follows:
- For Action, select Stop Cycle.
- For Rule Criteria, enter URL.Host matches in list Lync Online URLs OR URL.Destination.IP is in range list Lync Online IPv4 addresses OR URL.Destination.IP is in range list Lync Online IPv6 addresses
- Apply the changes.
