- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-16-2018 06:00 AM
Hi,
Is it possible to exclude Skype for Business application from SSL Decrypt?
Custom No decrypt URL category is not an option because new clients with on-premises Skype instances coming constantly.
br
Toni
02-16-2018 07:07 AM
You aren't able to exclude specific applications from SSL-Decryption. Your only option is either going to be custom URL categories or excluding the on-site server IP addresses from decryption.
02-16-2018 08:20 AM
Hello @ToniE,
We also have this issue. Our solution was to instruct the users to use the web version of the conference if the conference was hosted by a 3rd party. We then had to exclude the Lync/Skype applications from URL filtering since not everyone has dns extries and sometimes they have just IP's.
Hope that helps.
02-17-2018 02:07 PM - edited 02-17-2018 02:12 PM
Hi @ToniE
Actually there is an option to exclude an application form TLS decryption ... ok, it is a creative workaround to achieve that goal but this solution here should work also in your case: https://live.paloaltonetworks.com/t5/Community-Blog/How-to-bypass-SSL-decryption-for-an-application/...
Instead of the application in the article, you have to use ms-lync-base and/or ms-lync-online. There probably the first connection attemt still fails as the firewall will add the IP after this attempt to that dynamic group, but it is a solution that could save you a lot of work and complaints from customers.
Regards,
Remo
Edit: Of course only if the security policies of your company allow such a dynamic TLS decryption exclusion, cause this will add the risk of not decrypting misidentified connections. And thepotential risk that this configuration could be exploited to send data out of your network without decryption
02-17-2018 02:57 PM - edited 02-17-2018 02:59 PM
Try adding tose to your custom url then add that to no decrypt. I got it working by doing this.
Andy
02-19-2018 12:26 AM
Hello Remo,
Thanks for workaround. We have to think best solution.
br
Toni
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!