Hello guys,
I am having a problem with Office 365 Autodiscover process and FortiGate.
Basically, when my client (Outlook or even web browser) tries to reach an unresolvable URL like https://tenantname.mail.onmicrosoft.com/autodiscover/autodiscover.xml it presents me with FortiGate certificate warning (signed by FortiGate CA) and when accepted I get to the FortiGate's replacement message saying that DNS name does not exist.
If HTTPS URL is valid (DNS resolvable) then it just gets me to the destination, even if there is no content there, which is what's needed in the previous case.
I've tried creating a Static URL Filter in order to bypass this behavior, without luck. Even disabling all kind of SSL inspection and Application Control options, I still get that "error".
Is there a way to bypass this? I am using only Explicit Proxy rules. Replacement message cannot be disabled in general, but can be bypassed for this particular FQDN, if possible.
Thanks a lot!
BR,
Bruno Martins
Solved! Go to Solution.
Hi Bruno,
I also had this problem. I solved it by configuring the proxy settings in the browser of my clients, exempting *.onmicrosoft.com from being send to the proxy. Another solution is importing the Fortigate CA certificate in the certificate store of the clients. Another solution is disabling explicit proxy and exempting *.onmicrosoft.com from ssl inspection.
Kind Regards,
IPNS
Hi Bruno,
I also had this problem. I solved it by configuring the proxy settings in the browser of my clients, exempting *.onmicrosoft.com from being send to the proxy. Another solution is importing the Fortigate CA certificate in the certificate store of the clients. Another solution is disabling explicit proxy and exempting *.onmicrosoft.com from ssl inspection.
Kind Regards,
IPNS
ipns wrote:Hi Bruno,
I also had this problem. I solved it by configuring the proxy settings in the browser of my clients, exempting *.onmicrosoft.com from being send to the proxy. Another solution is importing the Fortigate CA certificate in the certificate store of the clients. Another solution is disabling explicit proxy and exempting *.onmicrosoft.com from ssl inspection.
I'll try your suggestion of modifying client's browser proxy settings.
Cheers!
I have had similar situations. For these we create a wildcard FQDN object (*.onmicrosoft.com) and add it to the SSL Inspection profile Exception list.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.