[squid-users] Skype for Business behind a transparent squid (TProxy) HTTP/S
Pieter De Wit
pieter at insync.za.net
Tue Dec 6 17:32:03 UTC 2016
If that is the edge server then it will be the audio/video
Sent from my iPhone
> On 6/12/2016, at 12:35, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
>> On 6/12/2016 11:46 a.m., Sameh Onaissi wrote:
>>
>> I have a Ubuntu 16.04 server with Squid 3.5.22 installed. It acts as a gateway in a LAN.
>>
>> It is configured to intercept HTTP and HTTPS traffic (Transparent). So iptables redirects were used for ports 80 and 443.
>> The server runs two scripts:
>> _*nat.sh*_ to bridge the two network cards, allowing LAN computers access to the internet through the servers Internet interface card.
>> *_iptables.sh_* which defines the ip rules and port forwarding: http://pastebin.com/SqpbmYQQ
>>
>> BEFORE RUNNING iptables.sh...
>>
>> When I connect a LAN computer to it, everything works as expected. Complete Internet access with some HTTP and HTTPS domains blocked/redirected to another page. Skype for Business logs in successfully.
>>
>> AFTER RUNNING iptables.sh
>> Skype for Business disconnects, and fails to re-connect, normal skype works just fine.
>>
>>
>> I revised: https://support.office.com/en-us/article/Create-DNS-records-at-eNomCentral-for-Office-365-a6626053-a9c8-445b-81ee-eeb6672fae77?ui=en-US&rs=en-US&ad=US#bkmk_verify And added all DNS configurations on enom.
>>
>> That got rid of the DNS error I was getting to another error saying service is temporarily unavailable.
>>
>> Any suggestions to why this is happening? Any solutions?
>
> Skype is sending something that is not HTTPS over port 443. The on_unsupported_protocol feature in Squid-4 is needed to tunnel Skype traffic when intercepting port 443.
>
>>
>> *Note:* both router and Ubuntu's WAN interface use Google's 8.8.8.8 DNS
>>
>
> I hope that means the border router is providing DNS recursive lookup with 8.8.8.8 as the parent, with LAN devices using that border router as their DNS server. That will minimize the damage Google is causing, but not avoid it completely. If not you should make it so, or at least place another shared resolver somewhere to do the necessary DNS caching.
>
>
> *Amos
>
> *
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
More information about the squid-users
mailing list