Hot!FAC: Make sure you aren't blocking - directregistration.fortinet.com

Author
seadave
Expert Member
  • Total Posts : 324
  • Scores: 48
  • Reward points: 0
  • Joined: 2004/11/03 18:02:09
  • Location: Seattle, WA
  • Status: offline
2019/10/28 15:56:31 (permalink)
0

FAC: Make sure you aren't blocking - directregistration.fortinet.com

Just a FYI, our FAC stopped being able to sync users from AD and adding them for FTKM assignment.  Error showed:
 
FTM provision error: problem with SSL comm layer: server connection failed: SSL session failed
Failed to assign remote LDAP user xxxxx @ xxxxx-DCs (xxx.xxx.xxx.10) with an available FTM token (FTKMxxxxxxxxxx) due to an activation error: Unable to provision token FTKMxxxxxxxxx: Unknown error.


Finally determined that FAC was hitting on our our MiTM/SSL Inspection outbound rules and Fortinet didn't like the cert interception.  Moved the directregistration.fortinet.com host to one of our trusted hosts rule that doesn't have SSL inspection and it started working again.
 
We think the IP for this host was updated today but not sure.
#1

1 Reply Related Threads

    xsilver
    Expert Member
    • Total Posts : 458
    • Scores: 103
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: FAC: Make sure you aren't blocking - directregistration.fortinet.com 2019/12/13 07:45:45 (permalink)
    0
    thanks for sharing your case.
    Yes, token activation is done over TLS and bidirectional cert verification and if that is forged, by any MiTM SSL inspecting proxy, then it will fail. That's expected outcome.

    Kind Regards,
    Tomas
    #2
    Jump to:
    © 2020 APG vNext Commercial Version 5.5