Helpful ReplyHot!FortiOS 6.0.3 problem with explicit proxy and web socket connections

Author
Wurstsalat
Bronze Member
  • Total Posts : 24
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/18 01:05:35
  • Status: offline
2018/12/27 03:53:42 (permalink) 6.0
0

FortiOS 6.0.3 problem with explicit proxy and web socket connections

Hi there,
we recently upgraded our Fortigate from FortiOS 5.6.7 to 6.0.3 but have now problems with several "chat" applications, such as facebook web messenger, whatsapp web and so on.
 
What we have in place
- Explicit proxy
- Proxy is authentication enabled
- HTTPS Deep Inspection is enabled
 
When we analyze the connection in the browsers, we see always that "wss://" connections are broken, such as
wss://web.whatsapp.com/ws
Therefor it is not possible to start web socket based applications
 
It works when we exclude the domain web.whatsapp.com from deep inspection, but we cant do this for all domains world wide and we never had this problem with 5.6.x.
 
So does anyone know how to resolve this in FortiOS 6.x?
 
Any help is appreciated
#1
Cloud
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/12/27 06:02:46
  • Status: offline
Re: FortiOS 6.0.3 problem with explicit proxy and web socket connections 2018/12/27 06:04:55 (permalink)
0
Hello,
 
There are few application that you cant do Deep Inspection on them since they wont work. 
For example, its game like World of Warcraft, chat like Whatsup.
 
The whatsup client is using hes own certificate to connect to the server, so if you will try to use deep inspection, the whatsup server will see that and he wont let user to connect. 
 
Sorry for my English.
 
Best Regards
Marcin
#2
pmit
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/04/03 08:03:01
  • Status: offline
Re: FortiOS 6.0.3 problem with explicit proxy and web socket connections 2019/09/10 07:29:38 (permalink) ☄ Helpfulby jmezo 2019/09/16 11:27:18
0
This is because Fortigate does not support web socket proxy. The web sockets attempt to connect directly which of course does not work when someone is connected via VPN.  I am trying to get a feature request for this going as many newer apps use web sockets. There are other proxy solutions that do support this even though Fortinet has not yet implemented it. I have not had enough time to test them, but NGINX supports web socket proxy and Kazzing https://kaazing.com/kwg supposedly supports it as well. I will post more if I get a feature request going. 
 
Please vote up, this is a must have feature of the SSL web portal.
TAG
SSL VPN
web socket
wss:
 
 
#3
Jump to:
© 2019 APG vNext Commercial Version 5.5