This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Allowing Lync: enabling SSL decryption blocks it

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Allowing Lync: enabling SSL decryption blocks it

Arne-VDH
L3 Networker

‎01-09-2016 08:40 AM - edited ‎01-09-2016 08:41 AM

Hi,

 

In a test setup I'm trying to allow MS-Lync while SSL decryption is enabled.

I've got a general rule to enable SSL Decryption with the proper certificate installed on the clients end.

In my security policies I've got a rule to allow Lync based on App-ID.

Allow-Lync.PNG

Lync however refuses to even sign in.

 

The only thing I have noticed that DNS requests seeem to age out for a to me unknown reason:

age out.PNG

 

As a test, I added a no-decrypt rule for MS/Lync URL's, but that doesn't really make a difference.

 

As soon as I disable the decryption rule, all works fine (but of course allows more than I would want). How can I exclude lync from being decrypted, or even better, how do I get Lync to get through with decryption enabled?

 

On: https://live.paloaltonetworks.com/t5/Configuration-Articles/List-of-Applications-Excluded-from-SSL-D...

there is a comment at the bottom from someone stating the issue that Lync is failing when SSL decryption is enabled, but he refers to a broken link. Any suggestions?

0 Likes Likes
3 REPLIES 3

pankaku
L5 Sessionator

‎01-09-2016 08:29 PM

You have to stop decryption for lync otherwise it will fail. To stop decrypting you can create a customer URL category and inside that you have specify the URL used by your lync.

 

To find out the URL used by lync:

1> Create a URL filtering profile which have action for all category as alert.

2> Create a security policy to allow only lync traffic for one specific host and apply the URL filtering profile in this security policy.

3>Create another security policy to deny everything for that sepecific host.

4> Do a commit and check if the lync is working or not if it is not working allow more applicaitons.

5> Now if the lycn is working you will get the URL allowed by the security policy from URL logs.

 

Take these URLs and apply them into customer url Category. Call the custom URL cateogry into the no decrypt rule.

 

Hope this helps!

0 Likes Likes

Arne-VDH
L3 Networker
In response to pankaku

‎01-10-2016 07:31 AM

Actually, I tried that ("As a test, I added a no-decrypt rule for MS/Lync URL's, but that doesn't really make a difference.") using the list of URL's & IP addresses at:

https://support.office.com/en-gb/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-ab...

 

But it still seems to fail on session age-outs..

age out 2.PNG

0 Likes Likes

pankaku
L5 Sessionator
In response to Arne-VDH

‎01-10-2016 09:30 AM

Could you attach the custom url category that you have created for not decrypt. Also the screenshot for the URL filtering logs.

0 Likes Likes
  • 2904 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks