Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jamie
New Contributor

Created on ‎05-09-2017 11:17 AM

SSL Deep Packet Inspection breaks RDP Gateway over HTTPS

Hi,

 

In my lab I have a 200E on 5.4.4. I'm using ssl deep inspection for 443 traffic. I'm testing with the Fortigate SSL cert added to the trusted root cert authorities store on computer accounts for windows 10. Normal https traffic is working fine tested on IE11.

 

My issue is when using RDP connections through rd gateway servers. Specifically external Windows Server 2012 rd gateway servers wont connect rdp sessions from windows devices behind the Fortigate in my lab. Interestingly SBS 2011 rd gateway servers connect successfully, actually.

 

I tried both proxy and flow based modes. Same result. Does anyone have similar issues or know how to resolve?

Labels:
12119
0 Kudos
6 REPLIES 6
shoki
New Contributor

Created on ‎03-27-2019 11:18 AM

Hi!

 

The answer for this problem its... add your CA from your RDS to trusted Certificates CA to Fortigate.

 

This resolve my issue a few years ago.

 

 

5908
0 Kudos
cabby
New Contributor
In response to shoki

Created on ‎05-20-2021 06:23 AM

Hi,

 

I know this is an old thread, but I'm not able to use RDP gateway with deep inspection. I'm not talking about inbound access to a gateway server, my clients are not able to connect to external servers. Since we do need to connect to a lot of these for various reasons I'm not able to enable DPI. We are using the FortiGate CA Certifiicate and it's trusted by the users workstations. Except the rdp gateways it's working pretty good.

 

The application is detected fine and it's also allowed, but the rdp clients always ends with an error message and no rdp connection.

5909
0 Kudos
TecnetRuss
Contributor
In response to cabby

Created on ‎05-20-2021 09:48 AM

I haven't been able to find a fix for external RDS servers being blocked by DPI either, but what we do is add the external RDS/RDWeb URLs to the DPI exemption list in the SSL/SSH Inspection profile so that we can keep DPI enabled for all non-RDS traffic.

 

Russ

NSE7

5909
cabby
New Contributor
In response to TecnetRuss

Created on ‎05-20-2021 02:21 PM

Thank you for the confirmation that I'm not the only one who faces that issue. The solution though, that's a lot of manual work i had hoped to avoid...

5909
0 Kudos
sbelcher29
New Contributor
In response to TecnetRuss

Created on ‎02-19-2025 07:43 AM

Still seems to be the only method... ?

213
0 Kudos
MMartens
New Contributor

Created on ‎02-14-2024 12:06 PM

Thank you for sharing!
Has this ever been solved properly instead of adding all RDP Gateway servers to the exemption list?
Thanks in advance,

Marcel

2493
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.