Controlling Skype using App-ID

What is Skype?

Skype is best known as a peer-to-peer IP telephony application developed by Niklas Zennstrm and Janus Friis, also founders of the file sharing application Kazaa and the new peer-to-peer television application Joost.  Skype compliments and competes directly with existing phone services, from traditional POTS to VoIP services. Its major strengths include the ability to provide connectivity through firewalls and NAT (network address translation), support for a large number of active users, and privacy protection via the use of strong encryption. Moreover, it supports integrated instant messaging (IM), chat, file transfer, video conferencing, and a global directory.

Skype's underlying technology leverages a distributed peer-to-peer architecture to route multimedia packets among the users as opposed to centralized servers. The peer-to-peer network offers increased connectivity and scalability, and also provides firewall traversal and dynamic routing to evade corporate firewalls.  Despite the fact that it's a closed-source application based on proprietary protocols, The proprietary and evasive behavior of Skype indeed poses a security challenge to enterprise networks, particularly given its ability to transfer files and information without visibility or control.

More about Skype can be found here - https://www.skype.com/en/about/

To Allow Skype in your network, the following App-IDs have to be whitelisted on your Palo Alto Networks firewall:

• office365-consumer-access
• rtcp
• rtp
• skype
• skype-probe
• ssl
• websocket
• stun
• web-browsing
• windows-azure-base
• apple-push-notifications

Create security policies under Policies > Security as illustrated in the screenshot below to allow Skype to function. The rules configured below are in a LAB environment to demonstrate app-ids needed for skype application. In practical, configure the rules to be more specific by replacing any any rule to match the correct zones, Users, source and destination networks matching the network in addition to adding the app-ids.

Skype For Business:

At a minimum, the following App-ID has to be whitelisted for Skype For Business to function properly. 

• Ms-lync-base (matches the core functionality of the application)
• ms-lync-online
• rtcp
• stun (for media negotiation)
• rtp (for media streaming)
• ms-office365-base (core functionality of O365 applications)
• ssl
• web-browsing
• ms-lync-audio/video

Some of the standalone clients have pinned certificates. Skype For Business should also be excluded from decryption, This can be done by using GUI: Device > Certificate Management > SSL Decryption Exclusion and adding "*.online.lync.com" and "*.infra.lync.com" to the exclusion list.