- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
We have Skype for Business implemented but are facing an issue.
Skype client needs to contact specific server to get some sort of webticket for getting authenticated and receiving a certificate from the Skype server.
Connection to this Skype server is having an issue, to be more specific, we get to the point where the encrypted handshake message has been received ... but then de connection is terminated.
Same process repeats couple of times but without success, then the Skype fallback procedure kicks but this results in users having to wait like 3-4 minutes until Skype has been connected.
Basic connectivity towards Skype server seems ok, since we get the connection going.
We've been extensively troubleshooting this together with provider in charge of supplying us Skype services, but cannot get around this issue and we're out of options.
We don't do HTTPS inspection and have policy rule allowing traffic for addresses we need to reach and for HTTP and HTTPS services.
What could possibly going wrong or how can we troubleshoot further?
HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87 is installed on FWs (ClusterXL) and MGMT
Access control rule in the Firewall policy has been created, where source is the VLAN where our workstation live in destination remote network, Services & Applications allowed are HTTP/HTTPS with action Accept.
Logs show me the traffic has been accepted.
Troubleshooting:
------------------
- fw ctl zdebug + drop does not show any traffic related to or from this destination network has been dropped.
- for testing, remote server had been temporary allowed to be pinged to test basic connectivity -> OK
- verified if any asymmetric routing -> identified at provider side and solved - routing ok
- Fiddler trace taken and investigated by remote party -> identified Skype client keeps trying to get data from Skype server but is not able
- Skype client logs investigated by remote party
I know this probably isn't what you want to hear, but upgrade to R80.30 with the latest GA Jumbo HFA. Massive improvements in HTTPS/TLS Inspection in the realms of functionality and performance.
Are you using the in-built HTTP/HTTPS service objects for the Skype rules or have you cloned and modified them?
Yes, built-in HTTP/HTTPS service objects, nothing cloned or changed on that.
Massive improvements, even if we don't do any HTTPS inspection?
Your question was about HTTPS/TLS inspection, and the changes specifically related to this feature in R80.30 are very positive and my customers have been very happy with them. R80.30 was a very good release out of the gate in my opinion, R80.20 needed a bit more updates via Jumbo HFA due to all the new features such as SecureXL being reworked.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY