This article applies to:

• WebMarshal 6.1 and above
• Skype

Question:

• Skype is blocked by WebMarshal. How can I allow all Skype calls?

Information:

WebMarshal 6.1 introduces HTTPS content inspection. Depending on your firewall setup and the WebMarshal HTTPS rules you have configured, you may find that Skype connections are blocked.

Note: For steps to allow or deny Skype based on rules, see article Q11389.

If you want to allow all Skype connections:

• Open Skype native protocol ports at your firewall.
• If you cannot open the native ports:
1. In WebMarshal Proxy settings enable the setting "Allow unidentified software to create HTTPS tunnels" 
2. In WebMarshal HTTPS Rules, allow connections where SSL/TLS could not be negotiated (do not inspect this content)

Skype native ports

Like many Instant Message applications, Skype attempts to connect through its own protocol first, and then falls back on HTTPS.

Skype uses the following ports:

• TCP 1024 to 65536 Outbound
• UDP 1024 to 65536 Outbound
• UDP (Port defined during Skype Install) Inbound

To allow all Skype connections, the simplest configuration is to allow traffic through these ports at the firewall.

WebMarshal Configuration

If you cannot open the firewall ports, you can configure WebMarshal to allow Skype connections.

1. Run the WebMarshal Proxy Wizard. On the HTTPS Connection Restrictions page, enable the setting "Allow unidentified software to create HTTPS tunnels." 

Notes:

• When Skype attempts to connect by HTTPS, it does not provide complete identification as browsers do. Therefore WebMarshal will block Skype HTTPS connections by default unless you change this setting.
• This setting only applies to connections that are not inspected by WebMarshal HTTPS Content Inspection.
• Other software, such as Citrix Metaframe Server connections, also requires this setting in order to work through WebMarshal.

2. If you are using WebMarshal HTTPS Content Inspection, to allow Skype, ensure that you are NOT blocking requests where SSL/TLS could not be negotiated (the WebMarshal HTTPS rule condition Where SSL/TLS could not be negotiated). You may need to create a rule to explicitly allow this condition with no inspection.

Notes:

If you upgraded from WebMarshal 6.0 to 6.1 or above, in some cases you may find additional connections are unexpectedly blocked. For details, see Trustwave Knowledgebase article Q12083.