Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Deftone
New Contributor

SSL inspection and AppStore

I have some problems with SSL inspection and Apple Appstore. I enabled webfiltering and also enabled SSL inspection to filter some unwanted sites. I imported SSL Proxy certificate on the ipad and mac and everything is working fine exept the App Store. When I try to connect to the App Store I get a connection Error. More people having this problem?
5 REPLIES 5
daveywavey
New Contributor

I am also experiencing this problem. Only with FortiOS 5.0.4
Forti OS 4.0: FLG_100B-v400-build0705 (4.3.7) FWF_80CM-v400-build0665 (4.3.15) Forti OS 5.0: FWF_90D-v500-build0228 (5.0.3)
Forti OS 4.0: FLG_100B-v400-build0705 (4.3.7) FWF_80CM-v400-build0665 (4.3.15) Forti OS 5.0: FWF_90D-v500-build0228 (5.0.3)
Bromont_FTNT
Staff
Staff

If you look at the 5.0.4 release notes you' ll see that the SSL inspection behaviour has changed... In 5.0.4 if you have " scan encrypted connection" checked then it will actually do the man-in-the-middle attack for SSL inspection.... When it comes to the iTunes/App store the application is looking for a specific certificate so loading the SSL Proxy into the trusted certificate store does not suffice... the site needs to be exempted.
Wayne11
Contributor

Glad to know, but how can I figure out which sites needs to be exempted? Is the only one way to wait until my users report it for each site they can' t use anymore? Where' s the difference between a normal SSL encrypted site and those? It' s hard to use the SSL inspection feature if every third page still has some troubles with it. It was much easier to block EXE files and some websites through SSL traffic in 4.x compared with 5 now
SMabille
Contributor

The issue with AppStore being that the sever (AppStore) does some client certificate validation. As you can' t upload your root CA for Apple to trust, you can' t have any SSL interception.
William_Moore

This is how I got it working for me when I turned on SSL and deep packet. I opened up a ticket with support and this is what the told me and it 100% worked.

"

Please create an FQDN address object for "*.apple.com" and configured it under Exempt from SSL Inspection > Addresses for your SSL deep inspection profile (deep-inspection). Please have it tested. If the issue still persists, please add the following FQDN to the exemption SSL list: * itunes.apple.com s.mzstatic.com *.appstore.com 

 

"

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors