Mohammad Al-Zard
Mohammad Al-Zard
config firewall vip edit " vip.srv.ssloffload" set type server-load-balance set extip xxx.xxx.xxx.xxx set extintf " wan2" set server-type https set extport 443 config realservers edit 1 set ip xxx.xxx.xxx.xxx set port 443 next end set ssl-mode full set ssl-certificate " Fortinet_CA_SSLProxy" next endFor the policy, I included application control, as I would like to be able to tell if the traffic is OWA or Active Sync. But the logs just show HTTPS, with no application. Any ideas how I can get this to populate?
config firewall policy edit 113 set srcintf " wan2" set dstintf " port1" set srcaddr " all" set dstaddr " vip.srv.ssloffload" set action accept set schedule " always" set service " HTTPS" set utm-status enable set logtraffic all set ips-sensor " default" set application-list " Monitor_All" set profile-protocol-options " default" set deep-inspection-options " default" next end
Hi,
I would like to bring this up as well. We had it all working like you needed to, a VirtualServer did the SSL offloading for a Microsoft Exchange Server serving OWA and ActiveSync via HTTPS.
Internet <-> FG <-> Exchange Server
With 5.2.2 we are having nothing but trouble, it was the admins fault not reading the release notes in detail (tiny details) but not having a backup made it even worse.
All we see for incoming traffic is Application SSL, which is kinda useless. We are checking for Applications like ActiveSync, Outlook Anywhere etc ... this all does not work any longer.
The support team challenged us to send tons of support output, even wanted us to manually decrypt the traffic from a packet trace via wireshark, which did not worked, no further steps taken on this path, waste of time. The last statement from the support team was:
-----------
I was discussing your issue with our engineering. Marking application as SSL is correct behavior. The reason is, that the Fortigate unit doesn't terminate the communication.
Communication is following: client ----SSL encrypted------FGT-------SSL encrypter-------Exchange. FGT unit is opening SSL connection to Exchange server on port 443. Communication between FGT and Exchange is encrypted and FGT can't see content of packets, so it's not able to mark application as ActiveSync/Outlook. To have this type of traffic correctly marked as ActiveSync/Outlook, you need to configure Exchange server to listen on HTTP not HTTPS.
-----------
What is going wrong here, the appliance is doing the offload, so it's there in cleartext.
Any help highly appreciated.
--Michael
This type of setup needs to be added to the next Cookbook. How to decrypt incoming SSL traffic and identify applications.
I am having this exact issue. Please tell me there was another solution other than not to use HTTPS.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.