Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robdog
New Contributor II

Deep Packet Inspection enabled: Office 365 activation issue

All,

 

Running 5.4.4, I recently enabled SSL inspection on our outbound web policies, since then I'm unable to activate any microsoft office products/windows. 

 

If i remove the inspection profile from the policy, the office applications/windows will activate fine. I've read that microsoft use certificate pinning which is why this is not working.

 

My question is, whats the best way forward to correct this issue. I'm aware that I need to exempt the microsoft fqdn's from the inspection policy but I'm not sure which server ip addr's they are because there is so fricken many.

 

Any guidance would be appreciated.

 

Cheers

8 REPLIES 8
hmtay_FTNT
Staff
Staff

Hello robdog,

 

Can you add the following FQDN in your exemption list?

 

"activation.sls.microsoft.com", "activation-v1.sls.microsoft.com" and "activation-v2.sls.microsoft.com". Let me know if this works.

 

Homing

robdog
New Contributor II

Hi Homing,

 

I have the following allowed and it still does not work. Ignore the extl prefix. If i disable this policy it connects and activates. so 100% i'm missing some URL in this exemption group but what is the question :)

 

edit "extl.Microsoft.Activation.test" set uuid f24d49be-6ac8-51e7-95e1-0804b0f6ec25 set member

"extl.activation-v2.sls.microsoft.com"

"extl.activation-v2.sls.microsoft.com.nsatc.net"

"extl.activation.sls.microsoft.com"

"extl.clientconfig.microsoftonline-p.net"

"extl.crl.microsoft.com"

"extl.displaycatalog.md.mp.microsoft.com"

"extl.displaycatalog.mp.microsoft.com"

"extl.go.microsoft.com"

"extl.licensing.md.mp.microsoft.com"

"extl.licensing.mp.microsoft.com"

"extl.login.live.com"

"extl.office14client.microsoft.com"

"extl.productactivation.one.microsoft.com"

"extl.purchase.md.mp.microsoft.com"

"extl.purchase.mp.microsoft.com"

"extl.sls.update.microsoft.com"

"extl.validation.sls.microsoft.com"

"extl.activation-v1.sls.microsoft.com"

"extl.validation-v2.sls.microsoft.com"

"extl.autodiscover-*.outlook.com"

"extl.autodiscover-s.outlook.com"

"extl.autodiscover.outlook.com"

next end

hmtay_FTNT
Staff
Staff

Hi robdog,

 

Can you do a packet capture with the policy that will block it? Please start the packet capture before you try to activate. I would need to check the handshake to find out which hostname is it trying to connect to. You can send the pcap to my email at hmtay@fortinet.com

robdog
New Contributor II

hmtay, 

 

Thanks for your offer of help. It seems that it wasn't the SSL exclusion list that was causing this issue.

 

We have an application Policy which i had to allow web.client(changed from monitor) and add the HTTPS.BROWSER signature (set to allow).

 

This has corrected the problem for anyone else experiencing a similar issue.

 

Regards

robdog
New Contributor II

Subsequently, i am having a problem now where office 365 is being blocked by web filtering policy because web based mail is blocked.

 

I dont want to enable webmail just office 365, any ideas?

chandansinghen
New Contributor

check your fqdn list and exempt from ssl deep scanning

 

diagnose firewall fqdn list

 

diagnose firewall fqdn list List all FQDN: update.microsoft.com: ID(244) REF(1) ADDR(157.55.240.94) ADDR(65.55.50.190)

 

I have check it and working fine. also I allow microsot  MS.Product.Activation in application filtering

chandansinghen
New Contributor

diagnose firewall fqdn list List all FQDN: update.microsoft.com: ID(244) REF(1) ADDR(157.55.240.94) ADDR(65.55.50.190) Exempt from SSL Inspection these IP address 157.55.240.94 65.55.50.190 and add IP address of  MS.Product.Activation from log Also allow MS.Product.Activation certificate in application fillerting

 

Now it is working

theArties
New Contributor III

Hi there, 

 

I see that this's an old thread. Wondering if there's any changes to the domains given in previous replies? 

 

Appreciate your feedback. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors