cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Ivory

SSL/TLS connection issue

We have Skype for Business implemented but are facing an issue.

Skype client needs to contact specific server to get some sort of webticket for getting authenticated and receiving a certificate from the Skype server.

Connection to this Skype server is having an issue, to be more specific, we get to the point where the encrypted handshake message has been received ... but then de connection is terminated.
Same process repeats couple of times but without success, then the Skype fallback procedure kicks but this results in users having to wait like 3-4 minutes until Skype has been connected.

Basic connectivity towards Skype server seems ok, since we get the connection going.

We've been extensively troubleshooting this together with provider in charge of supplying us Skype services, but cannot get around this issue and we're out of options.

We don't do HTTPS inspection and have policy rule allowing traffic for addresses we need to reach and for HTTP and HTTPS services.

What could possibly going wrong or how can we troubleshoot further?

0 Kudos
7 Replies
Highlighted
Admin
Admin

Re: SSL/TLS connection issue

What version/jumbo hotfix level is the management/gateway?
What precise rules have you created for this traffic?
What are you seeing in the logs around the time this traffic is being initiated?
What precise troubleshooting steps have you taken to date with the results?
0 Kudos
Highlighted
Ivory

Re: SSL/TLS connection issue

HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87 is installed on FWs (ClusterXL) and MGMT

Access control rule in the Firewall policy has been created, where source is the VLAN where our workstation live in destination remote network, Services & Applications allowed are HTTP/HTTPS with action Accept.

Logs show me the traffic has been accepted.

Troubleshooting:
------------------

- fw ctl zdebug + drop does not show any traffic related to or from this destination network has been dropped.

- for testing, remote server had been temporary allowed to be pinged to test basic connectivity -> OK

- verified if any asymmetric routing -> identified at provider side and solved - routing ok

- Fiddler trace taken and investigated by remote party -> identified Skype client keeps trying to get data from Skype server but is not able

fiddler.png

- Skype client logs investigated by remote party

0 Kudos
Highlighted

Re: SSL/TLS connection issue

I know this probably isn't what you want to hear, but upgrade to R80.30 with the latest GA Jumbo HFA.  Massive improvements in HTTPS/TLS Inspection in the realms of functionality and performance.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
Highlighted
Employee++
Employee++

Re: SSL/TLS connection issue

Are you using the in-built HTTP/HTTPS service objects for the Skype rules or have you cloned and modified them?

0 Kudos
Highlighted
Ivory

Re: SSL/TLS connection issue

Yes, built-in HTTP/HTTPS service objects, nothing cloned or changed on that.

0 Kudos
Highlighted
Ivory

Re: SSL/TLS connection issue

Massive improvements, even if we don't do any HTTPS inspection?

0 Kudos
Highlighted

Re: SSL/TLS connection issue

Your question was about HTTPS/TLS inspection, and the changes specifically related to this feature in R80.30 are very positive and my customers have been very happy with them.  R80.30 was a very good release out of the gate in my opinion, R80.20 needed a bit more updates via Jumbo HFA due to all the new features such as SecureXL being reworked.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos