Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
skorzen
New Contributor

Office 365 Autodiscover - Certificate warning

Hello guys,

 

I am having a problem with Office 365 Autodiscover process and FortiGate.

 

Basically, when my client (Outlook or even web browser) tries to reach an unresolvable URL like https://tenantname.mail.onmicrosoft.com/autodiscover/autodiscover.xml it presents me with FortiGate certificate warning (signed by FortiGate CA) and when accepted I get to the FortiGate's replacement message saying that DNS name does not exist.

If HTTPS URL is valid (DNS resolvable) then it just gets me to the destination, even if there is no content there, which is what's needed in the previous case.

 

I've tried creating a Static URL Filter in order to bypass this behavior, without luck. Even disabling all kind of SSL inspection and Application Control options, I still get that "error".

 

Is there a way to bypass this? I am using only Explicit Proxy rules. Replacement message cannot be disabled in general, but can be bypassed for this particular FQDN, if possible.

 

Thanks a lot!

 

BR,

 

Bruno Martins

1 Solution
ipns
New Contributor III

Hi Bruno,

 

I also had this problem. I solved it by configuring the proxy settings in the browser of my clients, exempting *.onmicrosoft.com from being send to the proxy. Another solution is importing the Fortigate CA certificate in the certificate store of the clients. Another solution is disabling explicit proxy and exempting *.onmicrosoft.com from ssl inspection.

Kind Regards, 

IPNS

View solution in original post

Kind Regards, IPNS
3 REPLIES 3
ipns
New Contributor III

Hi Bruno,

 

I also had this problem. I solved it by configuring the proxy settings in the browser of my clients, exempting *.onmicrosoft.com from being send to the proxy. Another solution is importing the Fortigate CA certificate in the certificate store of the clients. Another solution is disabling explicit proxy and exempting *.onmicrosoft.com from ssl inspection.

Kind Regards, 

IPNS

Kind Regards, IPNS
skorzen
New Contributor

ipns wrote:

Hi Bruno,

 

I also had this problem. I solved it by configuring the proxy settings in the browser of my clients, exempting *.onmicrosoft.com from being send to the proxy. Another solution is importing the Fortigate CA certificate in the certificate store of the clients. Another solution is disabling explicit proxy and exempting *.onmicrosoft.com from ssl inspection.

 

I'll try your suggestion of modifying client's browser proxy settings.

 

Cheers!

dmcquade
New Contributor III

I have had similar situations. For these we create a wildcard FQDN object (*.onmicrosoft.com) and add it to the SSL Inspection profile Exception list.

Labels
Top Kudoed Authors