How to block Skype application for some policy groups

Unanswered Question
Sep 29th, 2010

Hello,

I'm trying to block skype for some policy groups not for all users with IronPort WSA.

This WSA has also HTTS Proxy enabled. I refered also to a documentation that I found in knowledge base but without success.

The document is titled "How does the Cisco IronPort WSA handle Skype Traffic?" and answer ID is 1555

Please is there any tested solution ?

Thank you and best regards,

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
edadios Wed, 09/29/2010 - 15:30

Hello,

Can you share the access logs of what you want to block. Try to get client to do skype, and collect the information per http://tinyurl.com/6ekeec

Grep for the client ip address. And will see what we can try to do with the traffic you get for your skype.

Thanks,

Eric

isaqellari Wed, 09/29/2010 - 23:05

Hello Eric,

Thank you for your reply first.

Attached you can find some logs caught from the Ironport. Real usernames, domains etc have been replaced with general words.

In fact when I greped the access logs I used the username not the IP address of the client.

I'm going to attach also the logs using the IP address to grep..., meantime have a look to these logs if they can help you..

What we would like to do is to block Skype in our company for some groups of users and not to block for some other. Is it possible ?

The groups of users are Active Directory groups and policy groups used in Ironport are based on these AD groups.

Regards,

Attachment: 
isaqellari Wed, 09/29/2010 - 23:12

Hello Eric,

I just wanted to ask also, if this way is not possible is there any other way in order not to block all the users from using skype, but some of them.

Maybe is it possible based on their IP addresses ?

Regards,

edadios Tue, 10/05/2010 - 23:12

Hello,

Sorry for the delay in response.

I am not sure about the logs you provided. It will suggest the customer url you will configure will use url   pagename.al

If you have further logs by ip address, maybe that will help.

Wether by ip address or username, it seems that the way to block will require defining custom url configuration to block. It should be like, the kb article you mentioned, though I have not used skype myself to test.

Maybe it is best to log a ticket so we can have an engineer look over what you have configured and check what it is like when your skype client tries to make a connection through webex collaboration.

Regards,

Eric

isaqellari Wed, 10/06/2010 - 01:03

Hello Eric,

Sorry, for not updating the post recently. I resolved the issue.

I created a custom url category, created a decryption policy and put the action "Decrypt" for this custom url category as mentioned in the kb article.

I put the action Decrypt also for the uncategorized urls and tested it for a user standing only in one AD group. It worked. The skype traffic was blocked.

It worked also when I excluded this custom url category from this decryption policy and put only the "Decrypt" action for uncategorized urls.

Thank you for all your support Eric,

Have a great day

Ilir

gohkingsoa Sun, 10/16/2011 - 18:47

Hi isagellari,

Please direct me to the kb article you mentioned ie. "How does the Cisco IronPort WSA handle Skype traffic?". I can't locate the kb article.

Thanks.

alexdelangel Mon, 08/11/2014 - 10:20

Hello friends,

Please allow me to resurect this old post. So, you mean that we have to create a decryption policy instead an Access Policy??? I have already performd your instructions, but it is not working. Could you please help me? any idea?

Regards!

Actions

This Discussion