Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

SSL Deep Packet Inspection breaks RDP Gateway over HTTPS



In my lab I have a 200E on 5.4.4. I'm using ssl deep inspection for 443 traffic. I'm testing with the Fortigate SSL cert added to the trusted root cert authorities store on computer accounts for windows 10. Normal https traffic is working fine tested on IE11.


My issue is when using RDP connections through rd gateway servers. Specifically external Windows Server 2012 rd gateway servers wont connect rdp sessions from windows devices behind the Fortigate in my lab. Interestingly SBS 2011 rd gateway servers connect successfully, actually.


I tried both proxy and flow based modes. Same result. Does anyone have similar issues or know how to resolve?

New Contributor



The answer for this problem its... add your CA from your RDS to trusted Certificates CA to Fortigate.


This resolve my issue a few years ago.



New Contributor



I know this is an old thread, but I'm not able to use RDP gateway with deep inspection. I'm not talking about inbound access to a gateway server, my clients are not able to connect to external servers. Since we do need to connect to a lot of these for various reasons I'm not able to enable DPI. We are using the FortiGate CA Certifiicate and it's trusted by the users workstations. Except the rdp gateways it's working pretty good.


The application is detected fine and it's also allowed, but the rdp clients always ends with an error message and no rdp connection.


I haven't been able to find a fix for external RDS servers being blocked by DPI either, but what we do is add the external RDS/RDWeb URLs to the DPI exemption list in the SSL/SSH Inspection profile so that we can keep DPI enabled for all non-RDS traffic.





Thank you for the confirmation that I'm not the only one who faces that issue. The solution though, that's a lot of manual work i had hoped to avoid...

New Contributor

Thank you for sharing!
Has this ever been solved properly instead of adding all RDP Gateway servers to the exemption list?
Thanks in advance,


Top Kudoed Authors