https://live.paloaltonetworks.com/t5/general-topics/allowing-lync-enabling-ssl-decryption-blocks-it/m-p/70646#M40566 <P>Actually, I tried that ("As a test, I added a no-decrypt rule for MS/Lync URL's, but that doesn't really make a difference.") using the list of URL's &amp; IP addresses at: </P> <P><A href="https://support.office.com/en-gb/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&amp;rs=en-GB&amp;ad=GB#BKMK_LYO" target="_blank">https://support.office.com/en-gb/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&amp;rs=en-GB&amp;ad=GB#BKMK_LYO</A></P> <P>&nbsp;</P> <P>But it still seems to fail on session age-outs..</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1981i2891582FD10455D8/image-size/original?v=mpbl-1&amp;px=-1" alt="age out 2.PNG" title="age out 2.PNG" border="0" /></P> Sun, 10 Jan 2016 15:31:09 GMT Arne-VDH 2016-01-10T15:31:09Z https://live.paloaltonetworks.com/t5/general-topics/allowing-lync-enabling-ssl-decryption-blocks-it/m-p/70632#M40562 <P>Hi,</P> <P>&nbsp;</P> <P>In a test setup I'm trying to allow MS-Lync while SSL decryption is enabled.</P> <P>I've got a general rule to enable SSL Decryption with the proper certificate installed on the clients end.</P> <P>In my security policies I've got a rule to allow Lync based on App-ID.</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1978iD19B4765B36E6F6D/image-size/original?v=mpbl-1&amp;px=-1" alt="Allow-Lync.PNG" title="Allow-Lync.PNG" border="0" /></P> <P>Lync however refuses to even sign in.</P> <P>&nbsp;</P> <P>The only thing I have noticed that DNS requests seeem to age out for a to me unknown reason:</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1979iEA57808155E7483E/image-size/original?v=mpbl-1&amp;px=-1" alt="age out.PNG" title="age out.PNG" border="0" /></P> <P>&nbsp;</P> <P>As a test, I added a no-decrypt rule for MS/Lync URL's, but that doesn't really make a difference.</P> <P>&nbsp;</P> <P>As soon as I disable the decryption rule, all works fine (but of course allows more than I would want). How can I exclude lync from being decrypted, or even better, how do I get Lync to get through with decryption enabled?</P> <P>&nbsp;</P> <P>On: <A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/List-of-Applications-Excluded-from-SSL-Decryption/ta-p/62201" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/List-of-Applications-Excluded-from-SSL-Decryption/ta-p/62201</A></P> <P>there is a comment at the bottom from someone stating the issue that Lync is failing when SSL decryption is enabled, but he refers to a broken link. Any suggestions?</P> Sat, 09 Jan 2016 16:41:13 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-lync-enabling-ssl-decryption-blocks-it/m-p/70632#M40562 Arne-VDH 2016-01-09T16:41:13Z https://live.paloaltonetworks.com/t5/general-topics/allowing-lync-enabling-ssl-decryption-blocks-it/m-p/70641#M40563 <P>You have to stop decryption for lync otherwise it will fail. To stop decrypting you can create a customer URL category and inside that you have specify the URL used by your lync.</P> <P>&nbsp;</P> <P>To find out the URL used by lync:</P> <P>1&gt; Create a URL filtering profile which have action for all category as alert.</P> <P>2&gt; Create a security policy to allow only lync traffic for one specific host and apply the URL filtering profile in this security policy.</P> <P>3&gt;Create another security policy to deny everything for that sepecific host.</P> <P>4&gt; Do a commit and check if the lync is working or not if it is not working allow more applicaitons.</P> <P>5&gt; Now if the lycn is working you will get the URL allowed by the security policy from URL logs.</P> <P>&nbsp;</P> <P>Take these URLs and apply them into customer url Category. Call the custom URL cateogry into the no decrypt rule.</P> <P>&nbsp;</P> <P>Hope this helps!</P> Sun, 10 Jan 2016 04:29:20 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-lync-enabling-ssl-decryption-blocks-it/m-p/70641#M40563 pankaku 2016-01-10T04:29:20Z https://live.paloaltonetworks.com/t5/general-topics/allowing-lync-enabling-ssl-decryption-blocks-it/m-p/70646#M40566 <P>Actually, I tried that ("As a test, I added a no-decrypt rule for MS/Lync URL's, but that doesn't really make a difference.") using the list of URL's &amp; IP addresses at: </P> <P><A href="https://support.office.com/en-gb/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&amp;rs=en-GB&amp;ad=GB#BKMK_LYO" target="_blank">https://support.office.com/en-gb/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&amp;rs=en-GB&amp;ad=GB#BKMK_LYO</A></P> <P>&nbsp;</P> <P>But it still seems to fail on session age-outs..</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1981i2891582FD10455D8/image-size/original?v=mpbl-1&amp;px=-1" alt="age out 2.PNG" title="age out 2.PNG" border="0" /></P> Sun, 10 Jan 2016 15:31:09 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-lync-enabling-ssl-decryption-blocks-it/m-p/70646#M40566 Arne-VDH 2016-01-10T15:31:09Z https://live.paloaltonetworks.com/t5/general-topics/allowing-lync-enabling-ssl-decryption-blocks-it/m-p/70647#M40567 <P>Could you attach the custom url category that you have created for not decrypt. Also the screenshot for the URL filtering logs.</P> Sun, 10 Jan 2016 17:30:42 GMT https://live.paloaltonetworks.com/t5/general-topics/allowing-lync-enabling-ssl-decryption-blocks-it/m-p/70647#M40567 pankaku 2016-01-10T17:30:42Z