Created on 02-22-2010 01:46 AM Edited on 03-24-2022 11:21 AM By Anonymous
Description
This article provides the root cause and solution for the following issue: MSN users cannot login when the HTTPS Content Filtering Mode is "Deep Scan".
This article applies only to FortiGate hardware using CP6 technology and where SSL content inspection is performed.
Due to the initial authentication required for the HTTPS protocol on port 443, MSN clients don't accept server certificate signed by the Fortinet SSL proxy. Disconnection occurs at the initial authentication stage.
Users might experience similar issues with other IM applications such as AIM 6.0.
Scope
All FortiGate with CP6 hardware.
Solution
To add the address group to an ACCEPT firewall policy
2. FortiOS 4.0 MR2 and above is based on FortiGuard Web Filtering
1. Go to the Firewall Policy that requires this action, enable the UTM Web Filter, create a new profile and select the SSL exempt category in FortiGuard Web Filtering. This is shown in the screenshot below :-
2. In Firewall Policy > UTM> Protocol Options, select the default setting, save the modifications to the Firewall Policy and exit.
3. In UTM=>Web Filter =>Local Category create a local IM category for example "IM"
4. In UTM=> Web Filter=>Local Ratings , add a new entry with the URL of the the IM server host for example: kdc.uas.aol.com or login.live.com. Define the Local Rating category "Instant Messaging".
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.