Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jamie
New Contributor

SSL Deep Packet Inspection breaks RDP Gateway over HTTPS

Hi,

 

In my lab I have a 200E on 5.4.4. I'm using ssl deep inspection for 443 traffic. I'm testing with the Fortigate SSL cert added to the trusted root cert authorities store on computer accounts for windows 10. Normal https traffic is working fine tested on IE11.

 

My issue is when using RDP connections through rd gateway servers. Specifically external Windows Server 2012 rd gateway servers wont connect rdp sessions from windows devices behind the Fortigate in my lab. Interestingly SBS 2011 rd gateway servers connect successfully, actually.

 

I tried both proxy and flow based modes. Same result. Does anyone have similar issues or know how to resolve?

5 REPLIES 5
shoki
New Contributor

Hi!

 

The answer for this problem its... add your CA from your RDS to trusted Certificates CA to Fortigate.

 

This resolve my issue a few years ago.

 

 

cabby
New Contributor

Hi,

 

I know this is an old thread, but I'm not able to use RDP gateway with deep inspection. I'm not talking about inbound access to a gateway server, my clients are not able to connect to external servers. Since we do need to connect to a lot of these for various reasons I'm not able to enable DPI. We are using the FortiGate CA Certifiicate and it's trusted by the users workstations. Except the rdp gateways it's working pretty good.

 

The application is detected fine and it's also allowed, but the rdp clients always ends with an error message and no rdp connection.

TecnetRuss

I haven't been able to find a fix for external RDS servers being blocked by DPI either, but what we do is add the external RDS/RDWeb URLs to the DPI exemption list in the SSL/SSH Inspection profile so that we can keep DPI enabled for all non-RDS traffic.

 

Russ

NSE7

cabby

Thank you for the confirmation that I'm not the only one who faces that issue. The solution though, that's a lot of manual work i had hoped to avoid...

MMartens
New Contributor

Thank you for sharing!
Has this ever been solved properly instead of adding all RDP Gateway servers to the exemption list?
Thanks in advance,

Marcel

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors