Secure Skype for Business leveraging VPN


  • Only allow VPN approved devices to connect
  • Split authentication traffic from A/V
  • VPN Split tunnel required
  • Allow device access control
  • Optimal user experience

SkypeShield offers an innovative solution for using Skype for Business with Virtual Private Networks (VPN) in a seamless user experience without compromising on quality of service.

The solution is ideal for organizations seeking to leverage their existing VPN infrastructure to secure their Skype for Business deployment. The solution offers device access control in the case of the VPN access being controlled by MDM or certificate, which are available for approved devices only.

Microsoft recommends moving all voice and video traffic through the Internet and not over VPN. Deploying Skype for Business over VPN results in quality degradation because of double encryption of Skype for Business traffic over VPN.

Authentication goes through VPN while audio/video traffic is routed through the Edge over the Internet as required by Microsoft. The solution requires that Skype for Business traffic is configured to work outside of the VPN connection, but have a VPN connection that can be triggered by accessing certain hosts or IPs.

Organizations using SkypeShield can verify that only devices with corporate VPN access can connect to Skype for Business to complete the authentication process. At the same time, it enables the transfer of the majority of Skype for Business traffic (audio/video) to pass through the Internet resulting in optimal user experience.

From an end user prospective the transition between the VPN tunnel for authentication and the Internet for ongoing usage is automatically performed by SkypeShield. By using this approach, SkypeShield can redirect any unregistered device to the VPN for registration. Once the device has accessed SkypeShield, via the VPN, the device is registered. The Skype for Business client is then redirected to continue the remainder of the session outside the VPN.

SkypeShield can be configured to require VPN access at every authentication attempt or only once for registration. In such a case, the device will require no VPN access in subsequent sessions as it will already be registered with SkypeShield.

Requiring VPN access at each authentication attempt offers a three-factor authentication based on credentials, device and VPN access.