[squid-users] Skype for Business behind a transparent squid (TProxy) HTTP/S

[Amos Jeffries]

On 6/12/2016 11:46 a.m., Sameh Onaissi wrote:
>
> I have a Ubuntu 16.04 server with Squid 3.5.22 installed. It acts as a 
> gateway in a LAN.
>
> It is configured to intercept HTTP and HTTPS traffic (Transparent). So 
> iptables redirects were used for ports 80 and 443.
> The server runs two scripts:
> _*nat.sh*_ to bridge the two network cards, allowing LAN computers 
> access to the internet through the servers Internet interface card.
> *_iptables.sh_* which defines the ip rules and port forwarding: 
> http://pastebin.com/SqpbmYQQ
>
> BEFORE RUNNING iptables.sh...
>
> When I connect a LAN computer to it, everything works as expected. 
> Complete Internet access with some HTTP and HTTPS domains 
> blocked/redirected to another page. Skype for Business logs in 
> successfully.
>
> AFTER RUNNING iptables.sh
> Skype for Business disconnects, and fails to re-connect, normal skype 
> works just fine.
>
>
> I revised: 
> https://support.office.com/en-us/article/Create-DNS-records-at-eNomCentral-for-Office-365-a6626053-a9c8-445b-81ee-eeb6672fae77?ui=en-US&rs=en-US&ad=US#bkmk_verify And 
> added all DNS configurations on enom.
>
> That got rid of the DNS error I was getting to another error saying 
> service is temporarily unavailable.
>
> Any suggestions to why this is happening? Any solutions?

Skype is sending something that is not HTTPS over port 443. The 
on_unsupported_protocol feature in Squid-4 is needed to tunnel Skype 
traffic when intercepting port 443.

>
> *Note:* both router and Ubuntu's WAN interface use Google's 8.8.8.8 DNS
>

I hope that means the border router is providing DNS recursive lookup 
with 8.8.8.8 as the parent, with LAN devices using that border router as 
their DNS server. That will minimize the damage Google is causing, but 
not avoid it completely. If not you should make it so, or at least place 
another shared resolver somewhere to do the necessary DNS caching.


*Amos

*