FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
onunez
Staff
Staff
Article Id 189967
Description
This article describes why some applications, like Lync or now Skype for Business, do not work when SSL Deep Inspection is enabled because of the nature of the SSL Deep Inspection feature. 
Scope
Fortigate with SSL Inspection
Solution
Deep Inspection works by :

- Breaking the initial SSL Communication between client and server and generating two SSL lines, one from the FortiGate to the Server and another from the FortiGate to the Client
- It does this by first identifying an outbound SSL request and doesn't forward it
- Then it creates its own SSL request for the same destination and completes the connection
- Then uses an internally installed CA Certificate (default is Fortinet_CA_SSL) to sign a certificate for the site and passes that the client to complete the initial request
- The certificate the client receives will be signed by the internal CA Certificate instead of the actual site's CA. 

SSL_certificate_allow_setting_T.png
figure 1 :Steps with "allow Setting", Trusted certificate 


- By default this CA Certificate is not trusted and can cause Certificate Warnings. 

SSL_Certificates_Allow_settingUTv2.png
Figure 2: Steps with "Allow Setting", Untrusted certificate 


- Normally Certificate Warnings can be circumvented by installing the FortiGate CA root Certificate locally on machines (in all the browsers),


However, some applications, like Lync, are aware of what the certificate should look like from the server and if it receives anything but this certificate it believes it has fallen victim to a man-in-the-middle attack.and simply halts communications. 

To get around this for Lync, there are two options:
- Exempt the URLs Lync uses from the Web Filter profile 

- Or, create another Policy specifically for Lync and turn off SSL Deep Inspection for this policy. 
Note: This option can still be prone to issues if the FortiGate doesn't cache enough IPs for the URLs listed in the policy (32 is the maximum number of addresses it can cache) the recommendation is to exempt the URLs in the Web Filter profile. 
To exempt the URLs, go to Security Profiles > Web Filter > Profiles. From here, select the profile being used in the Policies (if multiple can be hit, be sure to make this change for each to prevent problems). Turn on the 'Enable Web Site Filter' option and a table for URLs should get to be entered.

According to the following Microsoft article the list of addresses will be: 
*.teams.microsoft.com
teams.microsoft.com
*.skype.com
*.lync.com
*.azureedge.net
*.sfbassets.com
*.urlp.sfbassets.com
skypemaprdsitus.trafficmanager.net
quicktips.skypeforbusiness.com
For each of these URLs create a new item in the Web Site Filter List. Add the URL, for URL's beginning with *. set type to wildcard, otherwise leave as simple and set the action to exempt. 

This will exempt all these URLs from being scanned by deep inspection and should alleviate the problem and allow Lync to connect without issue. 


Related Articles

Technical Note: Allowing Access to Skype for Business (Software and Web-App) when SSL Deep Inspectio...

Contributors