-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Skype service blocked for Geo-IP, despite excluding *.skype.com from Geo-IP filter
03/26/2020 
57 People found this article helpful
484,235 Views
Description
Skype service blocked for Geo-IP, despite excluding *.skype.com from Geo-IP filter
Resolution
Issue:
Skype service is blocked for Geo-IP, despite excluding *.skype.com from Geo-IP filter
Description:
When attempting to connect to Skype Services using the Skype Client, the attempt to login eventually times out. A packet capture shows dropped SYN packets to foreign IP addresses dropped for the Geo-IP filter.
When checking the Address objects, *.skype.com does not show resolution for the public IP address being dropped.
When using the SonicWall's Reverse Name Lookup to determine the Domain Name for the IP address trying to be communicated with, private servers fail, and qualified public servers return a name error.
Explanation:
These IP addresses are being dropped by the firewall because the Skype Service does NOT have a domain associated with the IP addresses used to connect to the skype servers. A DNS lookup for the IP address to a public DNS server will return a message that there is no domain association with the IP address.
This means that even though the Skype service redirects the user to this IP, the IP is not actually associated with the *.skype.com domain, so simply excluding *.skype.com will not allow this traffic to be excluded. Therefore, public IP addresses to be excluded from the Geo-IP filter for the Skype service must be excluded MANUALLY, whether by range, network, or individual host IP addresses, because Skype has not chosen to associate these IPs with any domain, and therefore an FQDN cannot be used.
No workarounds in the SonicWall are possible other than to:
A.) Disable Geo-IP Filtering
B.) Add individual IP addresses / ranges / networks to the Geo-IP exclusion group object, rather than attempting to rely on an FQDN object, (these must be obtained from Skype or else determined in some other manner).
Alternative: Resolve these IPs / Networks / Ranges to skype.com on local DNS server. Ensure Log > Name Resolution points to local DNS server.
C.) Exclude the machines that need skype from the Geo-IP service for all destinations.
C an be done when using Geo-IP filtering based on firewall access rules by creating a rule to allow HTTP/HTTPS for a source of the appropriate local machines to all destination IP addresses that does not enforce Geo-IP service
Related Articles
- How to Block Google QUIC Protocol on SonicOSX 7.0?
- How to block certain Keywords on SonicOSX 7.0?
- How internal Interfaces can obtain Global IPv6 Addresses using DHCPv6 Prefix Delegation
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO