I have a virtual server setup from a public ip to an internal server ( owa ) with ssloffload. The server has the necessary fortigate certificate and the fortigate is presenting the original server certificate to the clients coming from the web. It used to work well in 5.0.9 but since I upgraded to 5.2.3 it's no longer working. Web browser give bad certificate error. I cannot open the page at all. Where there any change in the way ssl or certificate are processed in 5.2.x that need to be manually adjusted ?
The certificate is not expired.
Any idea what could have happened?
Thanks
Solved! Go to Solution.
If you replace the previous certificate configuration with an SSL/SSH inspection profile set to 'protect server' instead of perform deep inspection, you could likely add the proper certificate back in successfully.
Regards, Chris McMullan Fortinet Ottawa
If you replace the previous certificate configuration with an SSL/SSH inspection profile set to 'protect server' instead of perform deep inspection, you could likely add the proper certificate back in successfully.
Regards, Chris McMullan Fortinet Ottawa
Thanks it does work!
Still not quite sure why the virtual server that was working in 5.0.x is not in 5.2.3 ? Your solution is more simple as long as we still have only one OWA server!
Thanks.
Well, you can define different SSL/SSH inspection profiles, one per policy, in order to serve different certificates.
I'm not sure how the 5.0 configuration would have been modified when upgrading between there and 5.2, in terms of what was stripped out. It may be that the VIP was retained, but the certificate was not moved to its own inspection profile automatically.
Regards, Chris McMullan Fortinet Ottawa
I may have been fed the wrong information earlier. It seemed that 'protect server' profiles replaced SSL offloading, but that may not be the case.
Could you check the defined certificate you had entered in 5.0 now that you're running 5.2, and see if it's the value you expected?
config firewall vip
edit <vip_name>
get | grep ssl-certificate
end
Regards, Chris McMullan Fortinet Ottawa
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.