Skype with Zscaler


(Rajeev Srikant) #1

Would like to know the standard practice for using Skype for business with ZScaler.
Does Zscaler supports SFB ?
If we use Zscaler as proxy service & if we use Skype under Zsclaer proxy will it work ?
Or it is recommended to bypass Zscaler for Skype traffic ?

(Rajeev Srikant) #2

Any help regarding this…

(Rajeev Srikant) #3

Any help… regarding this…

(Scott Bullock) #4

Hi Rajeev,
Zscaler fully supports O365 and we have a close working relationship with microsoft to ensure we handle their application in the best way, this includes supporting SfB / Teams. We have extensive documentation on how best to configure Zscaler and O365 to work together, see here for the root of the O365 document repository -->

Many thanks,


(Rajeev Srikant) #5

But I would like to clarify is it recommended to send Skype traffic to Zscaler.
Since it is voice traffic, should it go through Zscaler ?
What is the advantage of sending Skype traffic to Zscaler ?

(Scott Bullock) #6

We can prioritise and optimise 365/Skype (via great peering channels, as well as our wire speed TCP stack) the Skype channel as we’re inline, we are also able to provide visibility into utilisation when contrasting against other SaaS App and the general Internet traffic. Also, it’s a much simpler forwarding topology when sending all traffic via Zscaler, steering specific apps to go direct can create a complex routing environment and much overhead to maintain.

(Vincent GOUBERT) #7

Hello Scott,

I allow myself to bounce on your last answer : If I understood well, using Zscaler (Z-App w/local proxy for example) should also catch specific skype traffic ?

I do have an example in a customer environnement :

  • Usage of Z-App in Tunnel with local proxy mode
  • Internet Flow => Must reach a ZEN
  • Skype for Business : conference mode not working.

The only way to make it work was to open IP ranges of all MS SfB IPs using 3478 to 3481 UDP Ports (84 IPs/Ranges).

Thanks in advance,

(Scott Bullock) #8

Hi Vincent,
It sounds like the Skype client is not honouring the Proxy settings. I’ve heard of this in the past, but not recently. It’s possibly a regression in Skype.

Further, I guess this is an on-premise situation? It’s for reasons like this we do also recommend a network tunnel be installed as a best-practice, said tunnel can take default-internet traffic for processing in Zscaler Firewall. This helps catch Apps that are not proxy aware or have broken proxy implementations. It also allows Apps like Skype to use native UDP, which is often the preferred transport (proxy-TCP is the fallback for environments that can’t support UDP transport).



(Rajeev Srikant) #9

Thanks & sorry for the delayed response.
Sorry I am not still clear what is the best practice

  1. Should skype traffic be sent to Zscaler or it is recommended to have breakout bypassing Zscaler for skype traffic.
  2. Now teams have been replacing Skype. Should we use Zscaler for teams as Skype

Normally what is the practice most of the customers do ?

(Scott Bullock) #10

Best practice is to use a combo of Zscaler App, Tunnel /w Filter Driver, and a Network Tunnel.

This will result in the highest attribution of user-to-traffic and also allow Skype (now Teams) to use its preferred UDP protocol/ports.