FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GabrielAuYong_FTNT
Article Id 196120

Description
This article provides the root cause and solution for the following issue: MSN users cannot login when the HTTPS Content Filtering Mode is "Deep Scan".

This article applies only to FortiGate hardware using CP6 technology and where SSL content inspection is performed.

Due to the initial authentication required for the HTTPS protocol on port 443, MSN clients don't accept server certificate signed by the Fortinet SSL proxy. Disconnection occurs at the initial authentication stage.

Users might experience similar issues with other IM applications such as AIM 6.0.

Scope
All FortiGate with CP6 hardware.

Solution

1. FortiOS prior to 4.0 MR2

The following steps describe how to create a FortiGate FQDN firewall addresses, and add an ACCEPT firewall policy including this address to exempt the MSN login Server.
This assumes that the login server is well known, and in this example is login.live.com
 
To add the FQDN addresses
  1. Go to Firewall > Address.
  2. Select Create New.
  3. Enter an address name, for example login.live.com.
  4. Set Type to FQDN.
  5. In the FQDN field enter login.live.com.
  6. Leave Interface set to Any.
  7. Select OK.

To add the address group to an ACCEPT firewall policy

  1. Go to Firewall > Policy.
  2. Select Create New.
  3. Set the Source interface and Source Address to the same settings as the policy you have that allows users to access the Internet.
  4. Set the Destination Address to login.live.com.
  5. Set the Service set to ANY and Schedule set to always.
  6. Set the Action to ACCEPT.
  7. Select OK.
  8. Move the accept policy above all other outbound policies that allow Internet access



2. FortiOS 4.0 MR2 and above is based on FortiGuard Web Filtering
  
 
   1. Go to the Firewall Policy that requires this action, enable the UTM Web Filter, create a new profile and select the SSL exempt category in FortiGuard Web Filtering. This is shown in the screenshot below :-

jbody_FD31849_Knova260.jpg

2. In Firewall Policy > UTM> Protocol Options, select the default setting, save the modifications to the Firewall Policy and exit.
3. In UTM=>Web Filter =>Local Category create a local IM category for example "IM"
4. In UTM=> Web Filter=>Local Ratings , add a new entry with the URL of the the IM server host for example: kdc.uas.aol.com or login.live.com. Define the Local Rating category "Instant Messaging".

Contributors