Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wurstsalat
New Contributor III

FortiOS 6.0.3 problem with explicit proxy and web socket connections

Hi there,

we recently upgraded our Fortigate from FortiOS 5.6.7 to 6.0.3 but have now problems with several "chat" applications, such as facebook web messenger, whatsapp web and so on.

 

What we have in place

- Explicit proxy

- Proxy is authentication enabled

- HTTPS Deep Inspection is enabled

 

When we analyze the connection in the browsers, we see always that "wss://" connections are broken, such as

wss://web.whatsapp.com/ws

Therefor it is not possible to start web socket based applications

 

It works when we exclude the domain web.whatsapp.com from deep inspection, but we cant do this for all domains world wide and we never had this problem with 5.6.x.

 

So does anyone know how to resolve this in FortiOS 6.x?

 

Any help is appreciated

1 Solution
pmit
New Contributor III

This is because Fortigate does not support web socket proxy. The web sockets attempt to connect directly which of course does not work when someone is connected via VPN.  I am trying to get a feature request for this going as many newer apps use web sockets. There are other proxy solutions that do support this even though Fortinet has not yet implemented it. I have not had enough time to test them, but NGINX supports web socket proxy and Kazzing https://kaazing.com/kwg supposedly supports it as well. I will post more if I get a feature request going.    Please vote up, this is a must have feature of the SSL web portal. TAG SSL VPN web socket wss:

 

 

View solution in original post

2 REPLIES 2
Cloud
New Contributor

Hello,

 

There are few application that you cant do Deep Inspection on them since they wont work. 

For example, its game like World of Warcraft, chat like Whatsup.

 

The whatsup client is using hes own certificate to connect to the server, so if you will try to use deep inspection, the whatsup server will see that and he wont let user to connect. 

 

Sorry for my English.

 

Best Regards

Marcin

pmit
New Contributor III

This is because Fortigate does not support web socket proxy. The web sockets attempt to connect directly which of course does not work when someone is connected via VPN.  I am trying to get a feature request for this going as many newer apps use web sockets. There are other proxy solutions that do support this even though Fortinet has not yet implemented it. I have not had enough time to test them, but NGINX supports web socket proxy and Kazzing https://kaazing.com/kwg supposedly supports it as well. I will post more if I get a feature request going.    Please vote up, this is a must have feature of the SSL web portal. TAG SSL VPN web socket wss:

 

 

Labels
Top Kudoed Authors