Technical Note: How to Exempt Webex for SSL Inspection

jvergara · ‎01-05-2016

Description
This article describes how to exempt Webex for SSL Inspection.
Solution

Here is a step by step guide:

1. Configure firewall address which point towards your webex servers.

config firewall address

edit "webex1"

set subnet 62.109.192.0/18

next

...

edit "webex9"

set subnet 210.4.192.0/20

next

end

2. Configure a firewall address group

config firewall addrgrp

edit "WEBEX"

set member "webex1" "webex2" "webex3" "webex4" "webex5" "webex6" "webex7" "webex8" "webex9"

next

end

3. Configure your firewall SSL-SSH profile:

config firewall ssl-ssh-profile

edit "https"

config https

set ports 443

end

config ftps

set ports 990

set status disable

end

config imaps

set ports 993

set status disable

end

config pop3s

set ports 995

set status disable

end

config smtps

set ports 465

set status disable

end

config ssl-exempt

edit 1

set type address

set address "WEBEX"

next

end

next

end

4. Create your firewall policy.

On FortiOS 5.6 the administrator can create a Firewall Policy and add an Internet Service as the destination Address. Therefore, while creating a Firewall Policy on top of the sequence list, select your desired Incoming Interface, Source Address and Outgoing Interface and select Cisco-Webex as the Destination. Moreover, you will apply NAT if needed and disable any SSL inspection for this traffic.

config firewall policy

edit <Policy ID>

set name "Webex"

set srcintf "lan"

set dstintf "wan1"

set srcaddr "all"

set internet-service enable

set internet-service-id 1966183

set action accept

set schedule "always"

set nat enable

next

end

"Exempt list" is only available if the SSL Inspection profile is using "Deep-inspection" option

Technical Note: How to Exempt Webex for SSL Inspection

You are leaving our website