Can we disable Skype on our LAN in the MX100?

chad
Comes here often

Can we disable Skype on our LAN in the MX100?

Hello there. I'm wondering if anyone in the community here can help. Our company is in a regulated industry, and we're required to use an approved, compliant IM chat product. But we used to use Skype, which isn't compliant, and we still have some employees who have it installed. We'd like to be able to disable Skype access on the LAN. Would we be able to disable or block Skype on the LAN in our MX100 without also disabling our approved IM product (symphony.com)? 

 

Also, we're a cloud-based company and don't have a client-server network with Windows Active Directory or Group Policies.

11 Replies 11
Mr_IT_Guy
A model citizen

Hi @chad,

If you go Security Appliance > Configure > Firewall, under Layer 7 Firewall rules you can add a policy to deny VoIP & video conferencing. From there you can select Skype on the next drop down box.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
chad
Comes here often

Hi Mr_IT_Guy, 

Thanks for replying. I saw that entry for Skype in Layer 7 and tried it. It's in place now, but it looks like the only things it blocks/denies are Skype voice and video calls. Users are still able to log into Skype and text chat normally. 

Mr_IT_Guy
A model citizen

@chad,,

Here is the link for the URLs and IP address ranges for O365 which includes Skype. Office 365 URLs and IP address ranges

If you put in blocks for the IP ranges and FQDN, you should be able to block it completely

 

 

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
chad
Comes here often

Wow, that's a great resource. I failed to specify that we were using the consumer version of Skype, instead of Skype for Business, and we do also use Office 365. I'm amazed by how many FQDNs and IPs the Skype service uses. I honestly expected a handful, but I've found lists of large IP blocks and subnets with hundreds of individual IPs that have changed over time.

Uberseehandel
Kind of a big deal


@chad wrote:

Wow, that's a great resource. . . . . and we do also use Office 365. I'm amazed by how many FQDNs and IPs the Skype service uses. I honestly expected a handful, but I've found lists of large IP blocks and subnets with hundreds of individual IPs that have changed over time.


The good news is that MS publishes RSS feeds that update the IP addresses on a monthly basis. It should be pretty simple to automate updating ACLs, as RSS uses a convenient format (XML).

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
chad
Comes here often

Hi, Uberseehandel. Thank you. The only thing about the Office365 RSS feeds is that I think they cover Skype for Business, which is a totally different product from the consumer version of Skype, which is the one we need to block. They're basically completely different products on the front and back end. 

Uberseehandel
Kind of a big deal

I had a look here and found some plain vanilla Skype info as well - https://support.office.com/en-gb/article/office-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-ab... - possibly some of these are used by your version?

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
chad
Comes here often

Yeah but which ones?? That's the confusion. Msft's resources are all so disorganized and convoluted. I don't see a clear list of the FQDNs and IPs for Skype, which is baffling to me considering that it's a product with +70 million customers and a long history spanning more than a decade. The issue is that I'd end up trial and error-ing to ensure that I didn't also block a needed Office365 service.

Uberseehandel
Kind of a big deal

These days, I use Bria mobile and Signal, and everybody has free VoIP numbers.

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Ritchie
Getting noticed

@chad ~ you may block the skype application thru layer 7 in mx100 but this is not a 100% working since it only working on gateway  and for some reason maybe you can also raise it on meraki support so that they can update their database for layer 7 application specific for skype application since this application was updated each day. 

CBMontesclaros
Getting noticed

Any update on this?

Currently have the same situation (wanting to block the Skype App, including the instant messaging, video call, voice call) using MX64.

However, I was still able to use Skype for IM, video call.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels