Description
Solution
When SSL 'Full Inspection' is applied in the firewall policies for internal user's traffic, the “Skype for Business” App may not be able to connect properly due to it using port 443 to connect to Microsoft servers and the certificate received must be the original (signed by a Known Certificate Authority Entity).
Solution
Considering the URLs used by the App might be different depending on the account of Office 365 that is being used (for example: “mydomain.onmicrosoft.com”), the best solution is to create a firewall policy on top allowing access to traffic with “Skype for Business” IP addresses as destination. This can be applied following the steps:
1) Copy the content of the attached script.
2) Paste it in the FortiGate CLI.
3) Verify the address-group named “SkypeFB_Grp” has been created in the FortiGate.
4) Create a firewall policy (over general policies) from Internal > WAN with source IP: “ALL” and destination IP: “SkypeFB_Grp” without applying SSL inspection.
5) Verify the “Skype for Business” App works properly after the changes.
Further information can be found on the Microsoft web site in the section Office Support / Office 365 Admin / Setup: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...
1) Copy the content of the attached script.
2) Paste it in the FortiGate CLI.
3) Verify the address-group named “SkypeFB_Grp” has been created in the FortiGate.
4) Create a firewall policy (over general policies) from Internal > WAN with source IP: “ALL” and destination IP: “SkypeFB_Grp” without applying SSL inspection.
5) Verify the “Skype for Business” App works properly after the changes.
Further information can be found on the Microsoft web site in the section Office Support / Office 365 Admin / Setup: https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...
