Skip to main content
backpackdam
backpackdam
New Member
September 16, 2022
Question

Unable to get iPhone mail via WiFi on FortiGate 100E

  • September 16, 2022
  • 3 replies
  • 11573 views

We have several locations running Fortinet equipment and we can't get to our on-prem Exchange server when using WiFi from only one of the locations.

 

Main office has a Fortigate 200.  Outlaying offices both have Fortigate 100E.  A site-to-site tunnel connects everything.  When we're at the main office and on WiFi, any iPhone will connect to email using the Mail app perfectly.  When we go to office A with the same iPhone, everything works fine.  When we go to Office B (running FortiOS 6.2.11) with the same iPhone, we can't reach the Exchange server (via mail app or owa address).  We're able to ping the server just fine.  If we use an Android or a laptop in that same office, there is no issue - it is ONLY the iPhone.

 

Sniffer logs show the Client Hello going from the iPhone to the Exchange server.  Logs on the HQ 200 show that the Server Hello gets sent to the 100E but then the connection times out (maybe due to using TLS 1.0 somehow?).

 

Again - the same iPhone will work in our other locations just fine.  It's only this ONE location that is having issues.

 

Has anyone experienced something similar?  Does anyone know of any magic setting in the 100E that may need to be changed?  Is there a way to use the 100E to find out what happens to the traffic?

3 replies

Anthony_E
Staff
Anthony_E
Staff
September 19, 2022

Hello backpackdam,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Best Regards
    A
    Anonymous_User
    Contributor
    September 19, 2022

    Dear Customer.
    May I know whether the Iphone on Site B is connected to the Fortigate by WIFI or do you have SSL VPN connection?

      backpackdam
      backpackdamAuthor
      New Member
      September 19, 2022

      The iPhone at site B connects to a WiFi AP that is connected to the 100E.  The 100E connects back to our HQ via an SSL VPN tunnel.  This is the same method used at Site A.  While we're fairly sure the configuration is the same, we're not sure if there is a setting somewhere on Site B that is different and don't know where to look since we can't determine what the actual problem is.

      backpackdam
      backpackdamAuthor
      New Member
      September 20, 2022

      **UPDATE** - we had a (known) subscription to the Next Gen Fire Wall (NGFW) service that lapsed on Saturday the 17th.  We let it lapse on purpose to see if the iPhones at site B would connect.  We verified with users on-site yesterday (Sep 19) that the iPhones were in fact working like they do at our other locations.

       

      Today, we followed up with them and the iPhones are back to failing like the were last week and every day before that.

       

      Is there an AI/learning algorithm somewhere that may be learning and then blocking iPhone mail traffic?  It also blocks traffic to our OWA page in Safari.

      gfleming
      Staff
      gfleming
      Staff
      September 20, 2022

      Let's ignore the mail client and underlying protocols for now. Let's just work with OWA. So an iPhone cannot connect to OWA using Safari. But an Android device can connect using Chrome?

       

      What do the logs show for both connetions? Any errors for the iphone connection?

       

      What security profiles do you have enabled on the FortiGate at Office B that would affect the iPhone traffic heading towards the Exchange server? Are you doing SSL inspection?

       

      What appears on the iPhone? Do you get an error message? Does the error pop up immediately or does it time out?

        backpackdam
        backpackdamAuthor
        New Member
        September 20, 2022

        Correct - an iPhone cannot connect to OWA via Safari but an Android will get there via Chrome.  A Windows laptop will also get to OWA via Chrome.

         

        Not sure where to look for errors for the iPhone connection.  PCAP shows that the iPhone never receives a Server Hello / key exchange.  It doesn't time out immediately but after 30-45 seconds?

         

        Site B is doing traffic inspection but so is Site A.  There is an IPS/IDS enabled but it isn't actively preventing traffic.

         

        If you have some suggestions for where I should look for settings/logs/etc, I'm able to do that real quick.

         

        All of the PCAPs we have are attached to our Fortinet Support ticket if you have access to those (I'll send you the number if you do!).

         

        Thanks for all of your help so far!

        Terms & ConditionsAccessibility statement