Skip to main content
skorzen
skorzen
New Member
July 17, 2017
Solved

Office 365 Autodiscover - Certificate warning

  • July 17, 2017
  • 1 reply
  • 30573 views

Hello guys,

 

I am having a problem with Office 365 Autodiscover process and FortiGate.

 

Basically, when my client (Outlook or even web browser) tries to reach an unresolvable URL like https://tenantname.mail.onmicrosoft.com/autodiscover/autodiscover.xml it presents me with FortiGate certificate warning (signed by FortiGate CA) and when accepted I get to the FortiGate's replacement message saying that DNS name does not exist.

If HTTPS URL is valid (DNS resolvable) then it just gets me to the destination, even if there is no content there, which is what's needed in the previous case.

 

I've tried creating a Static URL Filter in order to bypass this behavior, without luck. Even disabling all kind of SSL inspection and Application Control options, I still get that "error".

 

Is there a way to bypass this? I am using only Explicit Proxy rules. Replacement message cannot be disabled in general, but can be bypassed for this particular FQDN, if possible.

 

Thanks a lot!

 

BR,

 

Bruno Martins

    Best answer by ipns

    Hi Bruno,

     

    I also had this problem. I solved it by configuring the proxy settings in the browser of my clients, exempting *.onmicrosoft.com from being send to the proxy. Another solution is importing the Fortigate CA certificate in the certificate store of the clients. Another solution is disabling explicit proxy and exempting *.onmicrosoft.com from ssl inspection.

    1 reply

    ipns
    ipnsAnswer
    New Member
    July 21, 2017

    Hi Bruno,

     

    I also had this problem. I solved it by configuring the proxy settings in the browser of my clients, exempting *.onmicrosoft.com from being send to the proxy. Another solution is importing the Fortigate CA certificate in the certificate store of the clients. Another solution is disabling explicit proxy and exempting *.onmicrosoft.com from ssl inspection.

    skorzen
    skorzenAuthor
    New Member
    August 4, 2017

    ipns wrote:

    Hi Bruno,

     

    I also had this problem. I solved it by configuring the proxy settings in the browser of my clients, exempting *.onmicrosoft.com from being send to the proxy. Another solution is importing the Fortigate CA certificate in the certificate store of the clients. Another solution is disabling explicit proxy and exempting *.onmicrosoft.com from ssl inspection.

     

    I'll try your suggestion of modifying client's browser proxy settings.

     

    Cheers!

    dmcquade
    dmcquade
    New Member
    August 9, 2017

    I have had similar situations. For these we create a wildcard FQDN object (*.onmicrosoft.com) and add it to the SSL Inspection profile Exception list.

    Terms & ConditionsAccessibility statement