Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
forti_fan
New Contributor

Outlook Web Access and url filter

Hi, We have an exchange server with outlook web access and a valid ssl certificate. On the fortigate i mapped the ip adress of the exchange server with a virtual ip on port 443. I also use url filter so that only the " /owa" directory is available from outside. Because of ssl i need deep packet inspection for the url filter to work. But the certificate is marked as invalid on the client. Is there a possibility to make a valid ssl chain without importing the fortigate ca-certificate on the client machine? Thanks in advance!
1 REPLY 1
mbrowndcm
New Contributor III

In order to support HTTPS Deep Packet Inspection (as you have configured), you must proxy the HTTPS connection (the firewall must be able to create the connection, decrypt the encrypted packets, re-encrypt and pass them to and from). So, your client must trust the internal CA contained on the Fortigate. There is no way around this to use HTTPS DPI. I highly suggest that you do not use the internal certificate in the Fortigate, but issue a CA certificate to the Fortigate itself. You can do this with openssl or Windows Server Certificate Authority. It is sort of complex: https://mbrownnyc.wordpress.com/2013/06/03/configuring-a-fortigate-for-utm-inspection-of-ssltls-encrypted-channels-fortigate-ssl-mitm/
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
" …you would also be running into the trap of looking for the answer to a question rather than a solution to a problem." - [link=http://blogs.msdn.com/b/oldnewthing/archive/2013/02/13/10393162.aspx]Raymond Chen[/link]
Labels
Top Kudoed Authors