[squid-users] Skype for Business behind a transparent squid (TProxy) HTTP/S

Sameh Onaissi sameh.onaissi at solcv.com
Mon Dec 5 23:28:18 UTC 2016

Hello Eliezer, thank you for the reply.

Honestly, to get things working after several failed attempts to intercept HTTPS, I followed this guide: http://www.cyberscie.com/2015/08/installing-squid-357-as-transparent.html?showComment=1463513043421

My squid.conf is simple: http://pastebin.com/9uZ4kxW6

I have collected a few IPs that skype for business uses, I tried allowing them through IP-tables but it did not work.

[cid:2FD1C3AB-E45C-49F0-84AB-0F8AC658BD11 at routerb408e2.com]Piensa en el medio ambiente antes de imprimir este email.

On Dec 5, 2016, at 6:16 PM, Eliezer Croitoru <eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>> wrote:


The first suggestion is to find out what servers needs to be in the exceptions from squid interception.
It should be a bunch of IP addresses.
The possibility of skype hosting services to hold unwanted sites or content is slight but not impossible.
You don’t need tproxy on this machine since it is masquerading in any case(just a pointer that will ease your life).

We can try to recognize together what IP addresses are required to be “bypassed” from squid interception.
And we are missing the squid.conf so we are limited to even know if your setup should work to begin with.


Eliezer Croitoru<http://ngtech.co.il/lmgtfy/>
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il<mailto:eliezer at ngtech.co.il>
<Picture (Device Independent Bitmap) 1.jpg>

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Sameh Onaissi
Sent: Tuesday, December 6, 2016 12:47 AM
To: squid-users at lists.squid-cache.org<mailto:squid-users at lists.squid-cache.org>
Subject: [squid-users] Skype for Business behind a transparent squid (TProxy) HTTP/S

I have a Ubuntu 16.04 server with Squid 3.5.22 installed. It acts as a gateway in a LAN.
It is configured to intercept HTTP and HTTPS traffic (Transparent). So iptables redirects were used for ports 80 and 443.
The server runs two scripts:
nat.sh to bridge the two network cards, allowing LAN computers access to the internet through the servers Internet interface card.
iptables.sh which defines the ip rules and port forwarding: http://pastebin.com/SqpbmYQQ

BEFORE RUNNING iptables.sh...
When I connect a LAN computer to it, everything works as expected. Complete Internet access with some HTTP and HTTPS domains blocked/redirected to another page. Skype for Business logs in successfully.

AFTER RUNNING iptables.sh
Skype for Business disconnects, and fails to re-connect, normal skype works just fine.

I revised: https://support.office.com/en-us/article/Create-DNS-records-at-eNomCentral-for-Office-365-a6626053-a9c8-445b-81ee-eeb6672fae77?ui=en-US&rs=en-US&ad=US#bkmk_verify<https://support.office.com/en-us/article/Create-DNS-records-at-eNomCentral-for-Office-365-a6626053-a9c8-445b-81ee-eeb6672fae77?ui=en-US&rs=en-US&ad=US> And added all DNS configurations on enom.
That got rid of the DNS error I was getting to another error saying service is temporarily unavailable.
Any suggestions to why this is happening? Any solutions?
Note: both router and Ubuntu's WAN interface use Google's DNS

Any help is really appreciated as I have been trying to fix this for days!

<Picture (Device Independent Bitmap) 2.jpg> Piensa en el medio ambiente antes de imprimir este email.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161205/50e12468/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Image 5-5-16 at 11.48 AM.jpg
Type: image/jpeg
Size: 4083 bytes
Desc: Image 5-5-16 at 11.48 AM.jpg
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161205/50e12468/attachment-0001.jpg>

More information about the squid-users mailing list