The root cause of problems with skype are down to how the skype client works. It ignores proxy settings if it can bypass them, it uses peer to peer networking using the HTTPS protocol by connecting to random bare IP addresses, and it doesn't support either the NTLM or transparent kerberos authentication types.

The main problem is the lack of support for either the NTLM or transparent kerberos authentication methods. Normally, if a client doesn't support the authentication method, then we can bypass the problem by adding the URL its connecting to into a filter bypass category. In the case of skype, we can't do this. This is because of the peer to peer networking it uses. There's no way to predict where it will connect to, so we don't know what address to add to the filter bypass.

The second problem is the peer to peer networking itself. Skype connects to IP addresses, which are blocked by default in censornet. These are blocked because censornet uses URL based filtering as one of its filtering types, and with http 1.1 you can have many URL's on a single IP address. This means that censornet needs to block the URL's not the IP addresses. Therefore connecting to the IP addresses directly bypasses the URL filtering and as such is blocked by default. Also, many proxy bypass sites use single static IP addresses, so enabling the ip addresses in censornet will reduce significantly censornet's ability to protect the end users. You can change this behaviour in censornet so the IP addresses will be allowed, but because of the authenticaion problem, this won't fix skype.

The third problem is that skype uses the HTTPS protocol. Again, these are blocked by default. The reason for this is that the sites are encrypted, which means censornet is unable to filter on the content (the real-time raters). In order to filter on content, censornet needs to decrypt, filter and re-encrypt the SSL stream which then in turn invalidates the site certificate, and causes the browser to throw errors. Again, you can bypass this by enabling the SSL intercept mode, but skype still won't work because of the IP address block and the authentication issues.

In brief, skype is a nightmare to unblock.

The only way to do it is to create a new workstation group for the machines using skype and set authentication to "No". Then schedule a policy to this workstation group. Then you need to go to System -> Configuration -> IP Blocking method and allow the IP addresses. This is a blanket setting, and will affect all your users and workstations. You then need to go to System -> Configuration -> SSL Intercept mode and enable SSL filtering. This means you'll need to install the censornet certificate in all the client browsers (see here for instructions).

Skype will now work, but your security from censornet will be reduced for all your users.

We sincerely hope that in the future skype will update their software to enable corporate authentication types. There's not much we at censornet can do if a client (such as skype) doesn't support these authentication types.

-- TimLloyd - 12 Nov 2009