New Member

Question

Deep Packet Inspection enabled: Office 365 activation issue

Forum|Forum|8 years ago
July 17, 2017
5 replies
27025 views

All,

Running 5.4.4, I recently enabled SSL inspection on our outbound web policies, since then I'm unable to activate any microsoft office products/windows.

If i remove the inspection profile from the policy, the office applications/windows will activate fine. I've read that microsoft use certificate pinning which is why this is not working.

My question is, whats the best way forward to correct this issue. I'm aware that I need to exempt the microsoft fqdn's from the inspection policy but I'm not sure which server ip addr's they are because there is so fricken many.

Any guidance would be appreciated.

Cheers

hmtay_FTNT

Staff

Hello robdog,

Can you add the following FQDN in your exemption list?

"activation.sls.microsoft.com", "activation-v1.sls.microsoft.com" and "activation-v2.sls.microsoft.com". Let me know if this works.

Homing

robdogAuthor

New Member

Hi Homing,

I have the following allowed and it still does not work. Ignore the extl prefix. If i disable this policy it connects and activates. so 100% i'm missing some URL in this exemption group but what is the question :)

edit "extl.Microsoft.Activation.test" set uuid f24d49be-6ac8-51e7-95e1-0804b0f6ec25 set member

"extl.activation-v2.sls.microsoft.com"

"extl.activation-v2.sls.microsoft.com.nsatc.net"

"extl.activation.sls.microsoft.com"

"extl.clientconfig.microsoftonline-p.net"

"extl.crl.microsoft.com"

"extl.displaycatalog.md.mp.microsoft.com"

"extl.displaycatalog.mp.microsoft.com"

"extl.go.microsoft.com"

"extl.licensing.md.mp.microsoft.com"

"extl.licensing.mp.microsoft.com"

"extl.login.live.com"

"extl.office14client.microsoft.com"

"extl.productactivation.one.microsoft.com"

"extl.purchase.md.mp.microsoft.com"

"extl.purchase.mp.microsoft.com"

"extl.sls.update.microsoft.com"

"extl.validation.sls.microsoft.com"

"extl.activation-v1.sls.microsoft.com"

"extl.validation-v2.sls.microsoft.com"

"extl.autodiscover-*.outlook.com"

"extl.autodiscover-s.outlook.com"

"extl.autodiscover.outlook.com"

next end

hmtay_FTNT

Staff

Hi robdog,

Can you do a packet capture with the policy that will block it? Please start the packet capture before you try to activate. I would need to check the handshake to find out which hostname is it trying to connect to. You can send the pcap to my email at hmtay@fortinet.com

robdogAuthor

New Member

hmtay,

Thanks for your offer of help. It seems that it wasn't the SSL exclusion list that was causing this issue.

We have an application Policy which i had to allow web.client(changed from monitor) and add the HTTPS.BROWSER signature (set to allow).

This has corrected the problem for anyone else experiencing a similar issue.

Regards

robdogAuthor

New Member

Subsequently, i am having a problem now where office 365 is being blocked by web filtering policy because web based mail is blocked.

I dont want to enable webmail just office 365, any ideas?

chandansinghen

New Member

check your fqdn list and exempt from ssl deep scanning

diagnose firewall fqdn list

diagnose firewall fqdn list List all FQDN: update.microsoft.com: ID(244) REF(1) ADDR(157.55.240.94) ADDR(65.55.50.190)

I have check it and working fine. also I allow microsot MS.Product.Activation in application filtering

chandansinghen

New Member

diagnose firewall fqdn list List all FQDN: update.microsoft.com: ID(244) REF(1) ADDR(157.55.240.94) ADDR(65.55.50.190) Exempt from SSL Inspection these IP address 157.55.240.94 65.55.50.190 and add IP address of MS.Product.Activation from log Also allow MS.Product.Activation certificate in application fillerting

Now it is working

theArties

New Member

Hi there,

I see that this's an old thread. Wondering if there's any changes to the domains given in previous replies?

Appreciate your feedback.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded