Skype connections fail through HTTPS proxy
Applies To
Products:Firebox & XTM
Operating System:11.9.4
Operating System:11.10.x
Operating System:11.9.5
Operating System:11.9.6
Operating System:11.11.x
Issue Status:Open
Status and Tracking
Tracking ID:83766
Status:Open
Resolved In:
Description
If you disable the default Outgoing policy and enable the HTTPS proxy with content inspection in your Firebox configuration, Skype connections can fail. Skype tries to use a large range of high ports, such as 40010 or 30001, and, if these are unavailable, Skype will try TCP port 80.
With Fireware XTM v11.9.4 and later, the HTTPS proxy rejects Skype traffic because it is not HTTPS traffic.
You may see a log message that includes the message when your XTM device denies the Skype traffic:
ProxyDeny: HTTP Invalid Request-Line Format
Workaround
Use the Outgoing policy to handle Skype traffic, or create a custom proxy policy for port 443, with the TCP-UDP proxy enabled. The TCP-UDP proxy will detect the non-HTTP traffic and allow the request through. This may allow other applications to connect on port 443 that do not follow the normal behavior for HTTPS.
Applies To
Products:Firebox & XTM
Operating System:11.9.4
Operating System:11.10.x
Operating System:11.9.5
Operating System:11.9.6
Operating System:11.11.x
Issue Status:Open
Status and Tracking
Tracking ID:83766
Status:Open
Resolved In:
Description
If you disable the default Outgoing policy and enable the HTTPS proxy with content inspection in your Firebox configuration, Skype connections can fail. Skype tries to use a large range of high ports, such as 40010 or 30001, and, if these are unavailable, Skype will try TCP port 80.
With Fireware XTM v11.9.4 and later, the HTTPS proxy rejects Skype traffic because it is not HTTPS traffic.
You may see a log message that includes the message when your XTM device denies the Skype traffic:
ProxyDeny: HTTP Invalid Request-Line Format
Workaround
Use the Outgoing policy to handle Skype traffic, or create a custom proxy policy for port 443, with the TCP-UDP proxy enabled. The TCP-UDP proxy will detect the non-HTTP traffic and allow the request through. This may allow other applications to connect on port 443 that do not follow the normal behavior for HTTPS.