This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dave
Participant
‎2020-01-07 01:56 PM

SSL/TLS connection issue

We have Skype for Business implemented but are facing an issue.

Skype client needs to contact specific server to get some sort of webticket for getting authenticated and receiving a certificate from the Skype server.

Connection to this Skype server is having an issue, to be more specific, we get to the point where the encrypted handshake message has been received ... but then de connection is terminated.
Same process repeats couple of times but without success, then the Skype fallback procedure kicks but this results in users having to wait like 3-4 minutes until Skype has been connected.

Basic connectivity towards Skype server seems ok, since we get the connection going.

We've been extensively troubleshooting this together with provider in charge of supplying us Skype services, but cannot get around this issue and we're out of options.

We don't do HTTPS inspection and have policy rule allowing traffic for addresses we need to reach and for HTTP and HTTPS services.

What could possibly going wrong or how can we troubleshoot further?

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2020-01-07 05:32 PM

What version/jumbo hotfix level is the management/gateway?
What precise rules have you created for this traffic?
What are you seeing in the logs around the time this traffic is being initiated?
What precise troubleshooting steps have you taken to date with the results?
0 Kudos
Dave
Participant
‎2020-01-07 11:31 PM
In response to PhoneBoy

HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87 is installed on FWs (ClusterXL) and MGMT

Access control rule in the Firewall policy has been created, where source is the VLAN where our workstation live in destination remote network, Services & Applications allowed are HTTP/HTTPS with action Accept.

Logs show me the traffic has been accepted.

Troubleshooting:
------------------

- fw ctl zdebug + drop does not show any traffic related to or from this destination network has been dropped.

- for testing, remote server had been temporary allowed to be pinged to test basic connectivity -> OK

- verified if any asymmetric routing -> identified at provider side and solved - routing ok

- Fiddler trace taken and investigated by remote party -> identified Skype client keeps trying to get data from Skype server but is not able

fiddler.png

- Skype client logs investigated by remote party

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-01-08 05:18 AM
In response to Dave

I know this probably isn't what you want to hear, but upgrade to R80.30 with the latest GA Jumbo HFA.  Massive improvements in HTTPS/TLS Inspection in the realms of functionality and performance.

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
Chris_Atkinson
Employee
Employee
‎2020-01-08 05:48 AM
In response to Timothy_Hall

Are you using the in-built HTTP/HTTPS service objects for the Skype rules or have you cloned and modified them?

0 Kudos
Dave
Participant
‎2020-01-08 11:44 PM
In response to Chris_Atkinson

Yes, built-in HTTP/HTTPS service objects, nothing cloned or changed on that.

0 Kudos
Dave
Participant
‎2020-01-08 11:43 PM
In response to Timothy_Hall

Massive improvements, even if we don't do any HTTPS inspection?

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-01-09 04:56 AM
In response to Dave

Your question was about HTTPS/TLS inspection, and the changes specifically related to this feature in R80.30 are very positive and my customers have been very happy with them.  R80.30 was a very good release out of the gate in my opinion, R80.20 needed a bit more updates via Jumbo HFA due to all the new features such as SecureXL being reworked.

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Labels