Problem:

Over the past week or so I have been getting reports from users that they have started to be prompted for proxy authentication when opening Skype for Business. If they cancel the prompt Skype seems to work fine and likewise if they enter there details Skype continues on its way. Out of curiosity and to prevent our users being prompted at all a did some digging.

Skype Proxy Autentication

Solution:

Finding the Hosts / URL’s

My tool of choice for troubleshooting unwanted proxy authentication prompts is Wireshark.

  • I completed closed Skype
  • Started a capture in Wireshark
  • Reopened Skype and was greeted by the proxy authentication prompt, so I stopped the Wireshark capture.
  • I applied the display filter http.proxy_authenticate to just show me data replated to proxy authentication

Wireshark Proxy authentication

  • The display filter returned two results, on each on in turn I right-clicked and selected “Follow TCP Stream” and captured the “Host”

skype_proxy_auth_05

skyoe_proxy_auth_03    skyoe_proxy_auth_04

  • The hosts having trouble with proxy authentication in my case were go.microsoft.com and images.edge.messenger.live.com

Bypassing Proxy Authentication

My proxy server is a “Clearswift Secure Web Gateway” the way you bypass proxy authenation varies on the proxy server.

  • I alreay had a “Web Policy Route” allowing a “Machine List” contatining all IP’s (*) along with Everyone to an “Internet Zone” containing all of the Office 365 URL’s. This is how I implement proxy authentication bypass by allowing everyone and all IP’s to a list of address.
  • My “Internet Zone” for Office 365 URL’s already contained the URL’s that were having trouble with proxy authentication. I was a bit confused until I realised Clearswift adds a rule to the top of the “Policy Routes” allowing “Everyone” to a zone called “Trusted Sites”. I looked at the “Trusted Sites” zone add found my URL’s were also listed in there, and because this policy was above mine (you can’t lower clearswifts one) it was taking precidence but did not allow proxy authentication bypass.
  • So I deleted the two url’s from the “Trusted Sites” zone so the traffic would be matched by my rule.

skype_proxy_auth_09