How to make friends with Skype and proxy

All good, habrovchane! The article will tell you how to defeat this fucking Skype and make it work with Squid, but applies to any http (s) proxy. We will use the latest Skype. At the moment it is 7.40 and of course, with the emphasis on the fact that the next update will not break anything, and if it breaks, then it will be necessary to tighten it a bit, and not to roll back the version. At once I will say, in fact, the described method is a hack, since Actual Skype with a squid does not know how to work, well, or I could not win, and on the Internet I did not find a solution that would take off for me. In general, everything is in order and .


So, my alignment : all clients on Win7x64, AD DS 2008R2, Skype 7.40 x32, squid 2.7, proxy settings in IE arrive via GPO. To begin, let me tell you why I need this damned Skype. Somewhere from half a year or a year ago, Skype version 6 ordered to live long, the update to 7k did not help, well, ok, transplanted users to the web version. Yes, it is buggy, but just the text works fine there, and voice / video can also be used on a personal smartphone if necessary. Not so long ago there was a need to take and record interviews on Skype and users got me. I had to give a laptop with a waffle and start to understand. It turned out that the meeting "it", i.e. Skype (euphemism) does not work anywhere, if there is a proxy, and even NAT wants it. Naturally, this does not happen, everything is set up, I immediately figured it out and decided to raise the topic again. I unfold, in the hope (what the hell is not joking), the last is 7.40, I launch Skype, and again I see this damned face with QDPV. A sufficiently long war with a squid and Google’s led to an interesting comment in which the author suggests using QoS. The idea is definitely good, only I didn’t fly out of the box and had to finish it. As a result, the procedure below.
')

Enable QoS for customers

Mark Skype packages. Open Group Policies and go to Computer Configuration - Policies - Windows Configuration - QoS on a policy basis . Need a couple of rules for the processes Skype.exe and SkypeBrowserHost.exe. I think from the screen below everything is clear.



DSCP 36 I took, in fact, from a flashlight, quite high, but not too much, yet our goal is not to maximize the prioritization of traffic for Skype, but to mark it. Next, do gpupdate on the client or reboot. You can check the correctness of the settings as follows:

gpresult.exe / H d: \ gpresult.html

In the resulting report, look for a mention about QoS

We say iptables to let the marked traffic

In GP, ​​DSCP is specified, and iptables is operated with ToS. Learn more about QoS here . But in a nutshell, these values ​​differ exactly 4 times. To get tos, multiply the DSCP value by 4 and get 144. The allowing rule for traffic transit from tos 144 from your subnet will look like this anywhere:

iptables -I FORWARD 2 -s localnet / 24 -m tos --tos 144 -j ACCEPT

iptables will write tos as 0x90, i.e. in hex format. Choose a victim for the test and try to go on Skype. On the gateway, you can see what is coming from the client, for example through tcpdump

tcpdump -i eth0 -v host 192.168.0.71

get something like

00: 00: 00.000001 IP (tos 0x90, ttl 128, id 13954, offset 0, flags [none], proto UDP (17), length 62)
192.168.0.71.20344> 65.55.223.43.40012: UDP, length 34

tos 0x90 is what you need. It can be seen that the package with the desired flag came from the client. But Skype is still not working.

Let's go to a couple of sites for everyone

The trick is that Skype looks into the settings of IE. It is impossible to disable the use of a proxy in this wonderful messenger (rays of good for the person who invented it). And we have the proxy settings from the definition above arrive in IE through GPO. In short, we add a resolution rule for everyone in the squid to the sites apps.skypeassets.com and mscrl.microsoft.com . Otherwise, I caught TCP_DENIED / 407 and Skype did not connect. Well, somewhere like this:

#Options for Skype

acl for_skype dstdomain apps.skypeassets.com mscrl.microsoft.com
http_access allow for_skype

do not forget to reload the squid

Do not try to cheat, get by changing the GPO settings IE "Do not use a proxy server with addresses starting with:" for the mentioned addresses. Fall off a bunch of services MS. and web skype first.

Again we go to test on the victim and get what was required. Skype is connected, it works, you can write and call. Hooray damn :)

By the way , you may notice that there are options to play with the SQUID rules in order to somehow skip at least the connection to Skype, but this is not our method, at the key moment the failed call is critical for us.

How to deploy Skype via WSUS. Postscript to heap

I do not know what the MS thought, but Skype via WSUS is not updated, you can install it from scratch only once or update the version from exe. Moreover, it is not that it is not regularly updated, but even through the LUP / WPP version in msi does not arrive. Yes, I know that all versions of Skype have one Product ID, but in the end I killed several hours trying to conjure with the rules. As a result, I looked at the online catalog of updates and found only (WAT !?) the business version, I realized that this is a feature - to make Skype in msi, but not even distribute it and remove the possibility of automatic deployment in general. Yes, I think it was possible to take the ORCA and conjure, but well, it, every time I do some transformations when updating the version ... The option that only my skis do not go, but in short, took on www.skype.com/ru/get-skype classic version in exe and deployed through LUP. Details here .

Behind this all, I hope the article was helpful, waiting for your questions and additions.