Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dave
Contributor

SSL/TLS connection issue

We have Skype for Business implemented but are facing an issue.

Skype client needs to contact specific server to get some sort of webticket for getting authenticated and receiving a certificate from the Skype server.

Connection to this Skype server is having an issue, to be more specific, we get to the point where the encrypted handshake message has been received ... but then de connection is terminated.
Same process repeats couple of times but without success, then the Skype fallback procedure kicks but this results in users having to wait like 3-4 minutes until Skype has been connected.

Basic connectivity towards Skype server seems ok, since we get the connection going.

We've been extensively troubleshooting this together with provider in charge of supplying us Skype services, but cannot get around this issue and we're out of options.

We don't do HTTPS inspection and have policy rule allowing traffic for addresses we need to reach and for HTTP and HTTPS services.

What could possibly going wrong or how can we troubleshoot further?

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

What version/jumbo hotfix level is the management/gateway?
What precise rules have you created for this traffic?
What are you seeing in the logs around the time this traffic is being initiated?
What precise troubleshooting steps have you taken to date with the results?
0 Kudos
Dave
Contributor

HOTFIX_R80_20_JUMBO_HF_MAIN Take: 87 is installed on FWs (ClusterXL) and MGMT

Access control rule in the Firewall policy has been created, where source is the VLAN where our workstation live in destination remote network, Services & Applications allowed are HTTP/HTTPS with action Accept.

Logs show me the traffic has been accepted.

Troubleshooting:
------------------

- fw ctl zdebug + drop does not show any traffic related to or from this destination network has been dropped.

- for testing, remote server had been temporary allowed to be pinged to test basic connectivity -> OK

- verified if any asymmetric routing -> identified at provider side and solved - routing ok

- Fiddler trace taken and investigated by remote party -> identified Skype client keeps trying to get data from Skype server but is not able

fiddler.png

- Skype client logs investigated by remote party

0 Kudos
Timothy_Hall
Champion
Champion

I know this probably isn't what you want to hear, but upgrade to R80.30 with the latest GA Jumbo HFA.  Massive improvements in HTTPS/TLS Inspection in the realms of functionality and performance.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Chris_Atkinson
Employee Employee
Employee

Are you using the in-built HTTP/HTTPS service objects for the Skype rules or have you cloned and modified them?

CCSM R77/R80/ELITE
0 Kudos
Dave
Contributor

Yes, built-in HTTP/HTTPS service objects, nothing cloned or changed on that.

0 Kudos
Dave
Contributor

Massive improvements, even if we don't do any HTTPS inspection?

0 Kudos
Timothy_Hall
Champion
Champion

Your question was about HTTPS/TLS inspection, and the changes specifically related to this feature in R80.30 are very positive and my customers have been very happy with them.  R80.30 was a very good release out of the gate in my opinion, R80.20 needed a bit more updates via Jumbo HFA due to all the new features such as SecureXL being reworked.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events