Re: Odp: Re: [squid-users] Skype through SQUID integrated with AD

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 27 Sep 2013 02:04:05 +1200

On 26/09/2013 7:35 a.m., kazio wolny wrote:
> Dnia Środa, 25 Września 2013 16:17 Amos Jeffries <squid3_at_treenet.co.nz> napisał(a)
>> On 26/09/2013 12:58 a.m., kazio wolny wrote:
>>> Hello,
>>>
>>> I get tired of the topic already two days and I have no power, so please help ...
>>>
>>> I did install squid3 (v3.1.19) integrated with AD (according http://wiki.bitbinary.com/index.php/Active_Directory_Integrated_Squid_Proxy). Allowing only users who belong to the Admin-Internet. Everything is ok for browsers and Kerberos, NTLM, LDAP even.
>>> Only I have a problem with Skype - in access.log I see:
>>> 1380113279.753 0 10.22.88.22 TCP_DENIED/407 3811 CONNECT 157.56.123.82:443 - NONE / - text / html;
>>> 1380113279.794 0 10.22.88.22 TCP_DENIED/407 3866 CONNECT 157.56.123.82:443 - NONE / - text / html;
>>> 1 1380113281.723 3766 10.22.15.104 TCP_DENIED/407 CONNECT 91.190.216.54:443 - NONE / - text / html;
>>> I tried to correct it as http://wiki.squid-cache.org/ConfigExamples/Chat/Skype and other variations, but nothing helps.
>> Well... if Skype did support authentication you would still see these
>> log lines as part of the normal authentication challenge process. That
>> goes for all authentication types, NTLM is somewhat special in that it
>> always shows up with two 407 in a row like the *.22 client lines above.
>>
>> This may help you:
>> https://support.skype.com/en/faq/FA1017/can-i-connect-to-skype-through-a-proxy-server
>>
>> My experience is that Skype has supported proxies and authentication
>> nicely enough in all releases for the last ~2 years not to need any
>> special consideration in the proxy config.
>>
>> Amost
> Thanks, but why Skype doesn't connect to servers?

Skype is a P2P software. AFAIK these are not CONNECT to servers
specifically, but are CONNECT to other people running Skype - which just
happens to include the MS servers setup to relay packets. The requests
to servers managing the Skype "phonebook" lookup requests may be one of
these but usually a different HTTP transaction entirely.

> In skype I have this settings like in your link: use port 80,443; https proxy, address and port (10.22.94.130:8080). I was trying with and without enabling proxy auth.. Always the same...
> When I disable auth on squid, then Skype works great, so I'm thinking, that this is a problem, but I can't solve it.. :-(
>
> Kazio

Strange. From what I could see of your config there should be no
problem. Are you certain that these 407 are being sent by your proxy and
not by another? are there any successful CONNECT from Skype happening
amidst the 407's (auth schemes normally require one 407 denial to
request credentials then the next has them and gets through).

Can you try this with a newer version of Squid at all? there are
HTTP/1.1 behaviour differences around keep-alive and authentication on
CONNECT which have been done in 3.2/3.3 series to "fix" HTTP/1.0
problems sometimes seen in the 3.1 and older releases. Those were about
2 years ago so my experience with Skype may be a bit warped by my
networks dog-fooding Squid.

Amos
Received on Thu Sep 26 2013 - 14:04:16 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 26 2013 - 12:00:04 MDT