SSL Inspection - Exception for Application Lync/Skype/Teams

(Patrick) #1

Hello,

Recently we have enabled SSL Inspection in our organization and today I got a lot of complains about not working Skype for Business meetings with external companies not using Office 365. I have troubleshoot and it seems the Skype for Business client can’t correctly use the Zscaler Intermediate SSL certificate within the connection. I have added the addresses of the external companies Skype instances to the SSL Inspection exception list and now it works. I have seen the option to except certain applications from SSL Inspection and have activated the category Collaboration and Online Meetings and Commone Office 365 applications but both not matching connection from Skype for Business client. It is possible to add Skype as an application to the available application exception inside SSL Inspection (Policy => SSL Inspection => Do Not Inspect these Applications).

Best Regards,
Patrick

1 Like
(Scott Bullock) #2

Hi Patrick,
The best practice of joint Zscaler / Skype customers is to enable the Office 365 One Click, details for this config, how to set it and how it works, can be located here —> https://help.zscaler.com/zia/about-microsoft-one-click-options

Cheers,
Scott-

(Patrick) #3

Hi Scott,

Thanks for your reply. We don’t have any issues with Skype hosted on Office 365 but with on premises Skype installation from our partners. I don’t think the Office 365 One Click can help here and we already have it enabled, because we’re using Office 365 but not all of our partners.

Best Regards,
Patrick

(Scott Bullock) #4

Hi Patrick,
It’s true there’d be no impact for O365 one-click when running on-prem Skype, however, external 3rd parties could certainly be running that O365 hosted Skype, so one-click should definitely be enabled to ensure those SSL pinned flows are handled correctly.

Do you also allow Skype in the Advanced section of URL Policies? This would capture Skype cloud. Also, I believe 3rd party Skype on-premise gateways shouldn’t be affected, as the certs can’t be pinned due to sass gateways not being O365 domains.

In terms of your ask, “It is possible to add Skype as an application to the available application exception inside SSL Inspection”, are you thinking from a client or server application perspective?

Cheers,
Scott-

(Patrick) #5

Hi Scott,

Yes, we allow Skype in the Advanced section of URL Policies.

The goal is to except all Skype communications from SSL Inspection to ensure we can communicate with on-perm instances of Skype with our partners without manual adding their domain names to the SSL Inspection exception list.

Best Regards,
Patrick

(Matt Barker) #6

We have the exact same issue in our environment. Adding the address of the external companies Skype instance to the SSL inspection exception list allows the meeting to connect, but we can’t do this for every external company. There must be a better way.

Matt