Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aabdhadi
Staff
Staff

Created on ‎10-06-2022 03:03 AM

Article Id 225563

Technical Tip: Allowing access to Skype for Business (Web access and Desktop application) via Application Control UTM feature

Description

 

This article describes how to allow the user access to Skype for Business (Web access and Desktop application) when Application Control is applied to policy to block all internet access.

 

By only allowing Skype application signatures in Application Control will not be sufficient to allow access to Skype in an environment where Application Control has been configured to block all internet access.

 

Scope

 

FortiGate in Profile-mode, version 6.4.9 and above.

 

Solution

 

Skype for Business is an application owned by Microsoft, hence it is necessary to add a few Microsoft component signatures to fully allow Skype to be accessible in a 'block-all' environment.

 

Below are the steps to configure Application Control UTM profile to block all and only allow Skype:

 

1) Login to FortiGate GUI.

2) Select the 'Security Profiles' tab on the left-hand side of GUI and search for  'Application Control' tab:

 

Go to Security Profiles - > Application Control.

 

aabdhadi_0-1664855958111.png

 

3) Select 'Create New' to create a new Application control profile.

4) Fill in the "Name" tab and select action to 'Block All Categories' in Categories section:

(This configuration is to block all access to all internet application signatures)

 

Screenshot 2022-10-05 094816.png

 

5) To only allow Skype access, it is necessary to add Skype application signature and a few Microsoft signatures in 'Application and Filter Overrides'.

 

Select 'Create New' to add Skype and Microsoft app signature:

 

Go to Application and Filter Overrides - > Create New.

 

Screenshot 2022-10-05 101428.png

 

6)  To add Skype application signature, set type as 'Application', search for Skype and select 'Add All Results':

 

Go to Type Application - > Action "Allow - >  Search 'Skype' - > Add All Results.

 

Screenshot 2022-10-05 105722.png

 

7) Now search for 'Microsoft.Portal', 'Microsoft.CDN' and 'Microsoft.Authentication' application signature that required by Skype.

 

Select 'Add All Results' after each search.

 

8) To verify all the list of added application signatures, select 'Selected' tab and make sure all the signatures below have been added.

Select 'OK' once confirmed.

 

Screenshot 2022-10-06 162703.png

 

9) Select 'OK' to save the configured Application Control profile.

 

Screenshot 2022-10-06 171733.png

 

How to apply the created Application control profile to firewall policy:

 

1) Select 'Policy & Objects' tab on your left-hand side, and select 'Firewall Policy':

 

Go to Policy & Objects - > Firewall Policy

 

Screenshot 2022-10-06 172403.png

 

2) Edit any policy that allows user to connect to internet and apply with the created Application control profile:

 

Go to Edit Policy (Internet Access) - > Security Profiles - > Action 'ACCEPT' - > Application Control - > Select 'Skype' profile - >  Select 'OK'.

 

Screenshot 2022-10-06 172644.png

 

Note:

Refer to below-related documents for a guide on configuring firewall policy.

 

Related article:

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/554066/firewall-policies

2582
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.