Technical Tip: How to allow Zoom Meeting on FortiGate policy with ISDB
Description
This article describes how to allow Zoom Meeting on policy with ISDB
In this scenario, you may already have configured an allowed policy with Zoom ISDB (Zoom.us-Zoom.Meeting) as the destination, but users still are not able to join Zoom Meeting from Zoom Client.
Scope
FortiGate.
Solution
Zoom Client requires to access to the following URL
- static.zdassets.com
- static.ada.support
Create 2 new FQDN address 'static.zdassets.com' and 'static.ada.support' then create a new Policy to allow this destination.
To create a FQDN using the GUI:
- Go to Policy & Objects -> Addresses and select Create New -> Address.
- Specify a Name.
- Select 'FQDN' as 'Type'.
- Enter the FQDN address.
The main sources of ISDB is vendors’ publish and ASN, meanwhile, we collect IPs from Fortinet DNS logs, Application Control logs, DNS lookup, etc. For Zoom, the main source is https://assets.zoom.us/docs/ipranges/Zoom.txt.
For this case, in the design of ISDB, one 3-tuple (IP-protocol-port) only can be recognized as one application. And “static.zdassets.com” and “static.ada.support” are third-party service of Zoom. If their IPs are included in Zoom ISDB object, the other applications which also use these services will be as Zoom incorrectly. Thus, we can’t add the IPs of these two FQDNs to Zoom object.
Adding a firewall policy as follows:
Related article:
Technical Tip: Not possible to access Zoom, even if port 443 and 80 are allowed with the open policy