I've been challenged to "improve Skype performance" for calls within my organisation.
Having read the Skype IT Administrators Guide I am wondering whether we might have a performance issue where the Skype Clients in a call are all on our WAN.
The call is initiated by a Skype Client at our head office, and terminated on a Skype Client in a remote office connected via IPSEC VPN.
Where this happens, I assume the trafficfrom Client A (encrypted by Skype) goes to our ASA 5510, where it is furtehr encrypted, sent to the remote ASA 5505 decrypted, then passed to Client B which decrypts the Skype encryption.
Would the call quality benefit if the traffic didn't go over the VPN, but instead only relied on Skype's encryption? I imagine I could achieve this by setting up a SOCKS5 proxy in our HQ DMZ for Skype traffic.
Then the traffic goes from Client A to Proxy, over the Skype relay network, then arrives at Cisco ASA 5505 as any other internet traffic, and then to Client B.
Is there likely to be any performance benefit in doing this? If so, is there a way to do it that doesn't require a proxy?
Has anyone else tackled this?
Best Answer
IPSEC VPNs will definitely degrade performance, both because of the encryption processing, and the reliance on TCP. If you have the licenses to support it, you could try SSL VPN between the two ASAs, which with TLS, could improve performance some (UDP).
I'm not familiar with Skype traffic or SOCKS5 proxies, but I'm not sure why that step would be necessary, as you say that Skype is already encrypting the traffic. To improve performance, you'd want to eliminate hops & processing. Find out what ports Skype relies on and create a rule to allow them through the ASAs without being caught by your IPSEC VPN policy. Likely this may involve some unNATs as well.