Skype service blocked for Geo-IP, despite excluding *.skype.com from Geo-IP filter
03/26/2020 51 12156
DESCRIPTION: Skype service blocked for Geo-IP, despite excluding *.skype.com from Geo-IP filter
Skype service is blocked for Geo-IP, despite excluding *.skype.com from Geo-IP filter
When attempting to connect to Skype Services using the Skype Client, the attempt to login eventually times out. A packet capture shows dropped SYN packets to foreign IP addresses dropped for the Geo-IP filter.
When checking the Address objects, *.skype.com does not show resolution for the public IP address being dropped.
When using the SonicWall's Reverse Name Lookup to determine the Domain Name for the IP address trying to be communicated with, private servers fail, and qualified public servers return a name error.
These IP addresses are being dropped by the firewall because the Skype Service does NOT have a domain associated with the IP addresses used to connect to the skype servers. A DNS lookup for the IP address to a public DNS server will return a message that there is no domain association with the IP address.
This means that even though the Skype service redirects the user to this IP, the IP is not actually associated with the *.skype.com domain, so simply excluding *.skype.com will not allow this traffic to be excluded. Therefore, public IP addresses to be excluded from the Geo-IP filter for the Skype service must be excluded MANUALLY, whether by range, network, or individual host IP addresses, because Skype has not chosen to associate these IPs with any domain, and therefore an FQDN cannot be used.
No workarounds in the SonicWall are possible other than to:
A.) Disable Geo-IP Filtering
B.) Add individual IP addresses / ranges / networks to the Geo-IP exclusion group object, rather than attempting to rely on an FQDN object, (these must be obtained from Skype or else determined in some other manner).
Alternative: Resolve these IPs / Networks / Ranges to skype.com on local DNS server. Ensure Log > Name Resolution points to local DNS server.
C.) Exclude the machines that need skype from the Geo-IP service for all destinations.
C an be done when using Geo-IP filtering based on firewall access rules by creating a rule to allow HTTP/HTTPS for a source of the appropriate local machines to all destination IP addresses that does not enforce Geo-IP service