FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Debbie_FTNT
Staff
Staff
Article Id 192711

Description
This article explains possible issues that can occur when using Microsoft Teams and the meeting schedule add-in in Outlook in a proxy environment.

Solution
When operating Microsoft Teams in a proxy environment, errors can occur when trying to schedule a Teams meeting from Outlook.
In particular, after a few seconds Outlook will return the error message 'We couldn’t schedule the meeting. Please try again later.'


This will be triggered if the FortiGate/FortiProxy settings require authentication (a user or group is set on the policy through which Microsoft Teams communicates); the 'Schedule Teams Meeting' add-in is unable to handle the HTTP 407 message FortiGate or FortiProxy sends to trigger authentication.

Logs for the Teams add-in may be found here on a Windows 10 computer:

%AppData%\Microsoft\Teams\meeting-addin
The file name is 'teams-meeting-addin.log'.
The error should look similar to the below example:

[…]
Error Microsoft.Teams.MeetingAddin.Scheduler.SchedulerService CreateMeetingAsync
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.
   at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
   at System.Net.Http.HttpClientHandler.GetRequestStreamCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
[…]

There are two possible workarounds:

1) IP-based authentication.

With IP-based authentication set in the authentication rule, FortiGate should already have authentication information for the host trying to schedule a meeting (as scheduling a meeting should not be the very first piece of proxy traffic being generated). This means it should not send an HTTP 407 message to prompt authentication.
If it does, generating some other traffic to trigger authentication should allow scheduling a meeting afterwards.
The IP-based setting can be set here:

#config authentication rule
    edit <rule>
        set ip-based enable
end

2) Exempting Teams from authentication or proxy entirely.

Creating a proxy policy with destination Internet Service 'Microsoft.Teams' and not setting any authentication (no user/group in the policy) should also fix this – traffic from the meeting add-in will not prompt an authentication request as no authentication is required for those destinations in the first place.

If the Internet Service for Microsoft Teams is considered too broad (it contains several thousand IP addresses), then restricting the exemption to these URLs should also work based on a Microsoft Forum entry:
https://api.scheduler.teams.microsoft.com/
https://mobile.pipe.aria.microsoft.com/
From https://techcommunity.microsoft.com/t5/microsoft-teams/problem-with-teams-meeting-add-ins-in-outlook...

This exemption policy should be placed at the top of the proxy-policy table to ensure the Teams traffic does not accidentally match any other policy which might trigger the issue.
Microsoft Teams (or these URLs) could also be exempted from proxy entirely (exemptions need to be configured in web-proxy settings), and a regular policy can be used to allow this traffic instead.


Comments
Anonymous
Not applicable

Excellent !

Contributors