Skip to main content
AACastillo
Staff
AACastillo
Staff
December 26, 2024

Technical Tip: Published website through FortiWeb in mode WCCP is unaccessible using Android devices

  • December 26, 2024
  • 0 replies
  • 211 views
Description This article describes when Android users cannot access a published website using FortiWeb operating in mode WCCP, why it happens, and how to solve it.
Solution

Sometimes, Android users have problems when a website is published through FortiWeb operating in WCCP mode, although the site has a valid SSL certificate and other devices like computers with Windows, Linux or Apple solutions can access it without issues.

 

This happens because Android devices only confirm the certificate information presented directly by the web server (or, in this case, by FortiWeb), and they cannot confirm the CA information using only the server certificate.

Android devices need to have an intermediate certificate to corroborate that the certificate is valid and signed by a legitimate certifying authority; this intermediate certificate must be issued by the same CA that issued the web certificate, and it must be sent by FortiWeb to the Android users.

 

To solve this, the CA intermediate certificate must be imported to FortiWeb and configured in the policy's server pool.

 

  1. Based on the CA that signed the server certificate (like GoDaddy, DigiCert, Amazon, etc.), download the intermediate certificate of this CA by visiting its website. The certificate should be in PEM or DER format (with extensions such as .pem, .cer, .crt, etc.).
  2. Create an Intermediate CA Group. Go to Server Objects -> Certificates -> Intermediate CA, then an Intermediate CA, and select Import:

    001a.png

 

  1. In Import CA Certificate, enable the Local PC setting and then select Upload. Select the intermediate certificate downloaded in point 1:


002a.png

 

  1. The imported certificate will be saved with a name like Inter_Cert_1, Inter_Cert_2, or similar and show all the Subject and Issuer chains:

 

003a.png

 

  1. Select the Intermediate CA Group and then select Create New. Write a name for this new group and select OK:


004a.png

 

  1. Select Create New. In New CA Group Member, select CA and select the intermediate CA created in point 4; finally, select OK:


005a.png

 

  1. Confirm the Intermediate CA is listed in the Intermediate CA Group. Select OK:


006a.png

 

  1. Access to the Server policy of the published website, then open the configured Server pool. Or the Server Pool can also be open in Server Objects -> Server -> Server Pool:


007a.png

 

  1. Select the IP address or URL of the web server and select Edit:


008a.png

 

  1. In the Edit Server Pool Rule window, select the options tab in Certificate Intermediate Group, search for the created Intermediate CA Group, and then select OK. After that, in Edit Server Pool, select OK, and finally in Edit Policy select OK:
                                            
    009a.png

After installing the intermediate certificate, the website should open correctly from Android devices.

Related documents:
Uploading a server certificate 
Defining your web servers
Terms & ConditionsAccessibility statement