Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
techevo
New Contributor

Created on ‎04-15-2015 12:23 PM

virtual server ssl offload after upgrade to 5.2.3

I have a virtual server setup from a public ip to an internal server ( owa ) with ssloffload.  The server has the necessary fortigate certificate and the fortigate is presenting the original server certificate to the clients coming from the web.  It used to work well in 5.0.9 but since I upgraded to 5.2.3 it's no longer working.  Web browser give bad certificate error.   I cannot open the page at all.  Where there any change in the way ssl or certificate are processed in 5.2.x that need to be manually adjusted ?

 

The certificate is not expired.

 

Any idea what could have happened?

 

Thanks

4715
0 Kudos
1 Solution
Christopher_McMullan
Staff
Staff

Created on ‎04-15-2015 12:30 PM

If you replace the previous certificate configuration with an SSL/SSH inspection profile set to 'protect server' instead of perform deep inspection, you could likely add the proper certificate back in successfully.

Regards, Chris McMullan Fortinet Ottawa

View solution in original post

1551
0 Kudos
4 REPLIES 4
Christopher_McMullan
Staff
Staff

Created on ‎04-15-2015 12:30 PM

If you replace the previous certificate configuration with an SSL/SSH inspection profile set to 'protect server' instead of perform deep inspection, you could likely add the proper certificate back in successfully.

Regards, Chris McMullan Fortinet Ottawa

1552
0 Kudos
techevo
New Contributor

Created on ‎04-15-2015 04:54 PM

Thanks it does work!

 

Still not quite sure why the virtual server that was working in 5.0.x is not in 5.2.3 ?  Your solution is more simple as long as we still have only one OWA server!

 

Thanks.

1518
0 Kudos
Christopher_McMullan
Staff
Staff

Created on ‎04-16-2015 08:53 AM

Well, you can define different SSL/SSH inspection profiles, one per policy, in order to serve different certificates.

 

I'm not sure how the 5.0 configuration would have been modified when upgrading between there and 5.2, in terms of what was stripped out. It may be that the VIP was retained, but the certificate was not moved to its own inspection profile automatically.

Regards, Chris McMullan Fortinet Ottawa

1518
0 Kudos
Christopher_McMullan
Staff
Staff

Created on ‎04-24-2015 07:34 AM

I may have been fed the wrong information earlier. It seemed that 'protect server' profiles replaced SSL offloading, but that may not be the case.

 

Could you check the defined certificate you had entered in 5.0 now that you're running 5.2, and see if it's the value you expected?

 

config firewall vip

edit <vip_name>

get | grep ssl-certificate

end

Regards, Chris McMullan Fortinet Ottawa

1518
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.