Skip to main content
Jamie
Jamie
New Member
May 9, 2017
Question

SSL Deep Packet Inspection breaks RDP Gateway over HTTPS

  • May 9, 2017
  • 2 replies
  • 14966 views

Hi,

 

In my lab I have a 200E on 5.4.4. I'm using ssl deep inspection for 443 traffic. I'm testing with the Fortigate SSL cert added to the trusted root cert authorities store on computer accounts for windows 10. Normal https traffic is working fine tested on IE11.

 

My issue is when using RDP connections through rd gateway servers. Specifically external Windows Server 2012 rd gateway servers wont connect rdp sessions from windows devices behind the Fortigate in my lab. Interestingly SBS 2011 rd gateway servers connect successfully, actually.

 

I tried both proxy and flow based modes. Same result. Does anyone have similar issues or know how to resolve?

2 replies

shoki
shoki
New Member
March 27, 2019

Hi!

 

The answer for this problem its... add your CA from your RDS to trusted Certificates CA to Fortigate.

 

This resolve my issue a few years ago.

 

 

cabby
cabby
New Member
May 20, 2021

Hi,

 

I know this is an old thread, but I'm not able to use RDP gateway with deep inspection. I'm not talking about inbound access to a gateway server, my clients are not able to connect to external servers. Since we do need to connect to a lot of these for various reasons I'm not able to enable DPI. We are using the FortiGate CA Certifiicate and it's trusted by the users workstations. Except the rdp gateways it's working pretty good.

 

The application is detected fine and it's also allowed, but the rdp clients always ends with an error message and no rdp connection.

TecnetRuss
TecnetRuss
Visitor III
May 20, 2021

I haven't been able to find a fix for external RDS servers being blocked by DPI either, but what we do is add the external RDS/RDWeb URLs to the DPI exemption list in the SSL/SSH Inspection profile so that we can keep DPI enabled for all non-RDS traffic.

 

Russ

NSE7

    MMartens
    MMartens
    New Member
    February 14, 2024

    Thank you for sharing!
    Has this ever been solved properly instead of adding all RDP Gateway servers to the exemption list?
    Thanks in advance,

    Marcel

    Terms & ConditionsAccessibility statement