Cisco Cisco Web Security Appliance S360 Troubleshooting Guide

Contributed by Vladimir Sousa and Siddharth Rajpathak, Cisco TAC
Engineers.

Jul 29, 2014

How does the Cisco Web Security Appliance (WSA) handle Skype Traffic?

Environment: Cisco WSA, Skype

Skype is a proprietary Internet telephony (VoIP) network. Skype primarily operates as a peer−to−peer
program, thus it does not directly communicate with a central server to operate. Skype can be particularly
difficult to block, as it will attempt to connect in many different ways.

Skype connects in the following order of preference:

Direct UDP packets to other peers using random port numbers

1. 

Direct TCP packets to other peers using random port numbers

2. 

Direct TCP packets to other peers using port 80 and/or port 443

3. 

Tunneled packets via a web proxy using an HTTP CONNECT to port 443

4. 

When deployed in an explicit proxy environment, methods 1−3 will never be sent to the Cisco WSA. In order
to block Skype, it must first be blocked from another location in the network. Skype steps 1−3 can be blocked
using:

Firewall: Use NBAR to block Skype version 1. More information is available at
http://ciscotips.wordpress.com/2006/06/07/how−to−block−skype/

• 

Cisco IPS (ASA): The Cisco ASA can potentially detect and block Skype via signatures.

• 

When Skype falls back to using an explicit proxy, Skype deliberately provides no client details in the HTTP
CONNECT request (no user−agent string either). This makes it difficult to differentiate between Skype and a
valid CONNECT request. Skype will always connect to port 443 and the destination address is always an IP
address.

CONNECT 10.129.88.111:443 HTTP/1.0
Proxy−Connection: keep−alive