Hello,
I am taking a chance to write here. For some time now, I have had users complaining that they are no longer able to join certain websites. (i.e stackoverflow or zendesk) while connected to VPN and working remotely to the office’s computer. The error is only present in Google Chrome. The problem does not appear in Internet Explorer and Firefox.
I have SSL / SSH inspection in place on Fortigate and I suspect this might be the case. On the other hand, we updated the Fortigate 300E to version 6.2.5 and several people now have various problems.
Can the whole thing be connected?
Thank you very much!
What was your previous firmware before 6.2.5? Some things changed during upgrade from 6.0 to 6.2. Also some people were reporting some issues with Flow based + certificate-inspection SSL/SSH Inspection Mode specifically in 6.2.5.
So, I’m reading your post as user vpns into network, RDPs to desktop environment, and the desktop can’t connect to the sites? Or are they trying to go through your ssl.root>Internet policies from their remote PC that’s creating the ssl tunnel? (Or is this IPSec?)
Try to change your policy to flow mode. Proxy is causing issues in some versions.
So, I’m reading your post as user vpns into network, RDPs to desktop environment, and the desktop can’t connect to the sites?
This is correct.
What was your previous firmware before 6.2.5?
I did 6.2.2 to 6.2.4 , then 6.2.4 to 6.2.5
I’d guess you need to look into the ssl-inspection bug.
If you can commandeer one PC on the inside for testing, clone your policy above the existing, and set the source address specifically for that PC (this way you don’t take everyone down while you play).
Try setting ssl-inspection to “no-inspection” and see what your resulting tests show.
Download and install the full-inspection certificate to Trusted Root Certificates on your test PC, and try full-inspection.
Also try making sure you have QUIC disabled on your AppControl and see if that resolves anything. Chrome will try to use QUIC by default, and that might be causing you some level of grief, though I doubt it - worth a shot.
Also try flipping between Flow and Proxy based on each SSL Inspection mode as possible combos for a fix.
After hours of research, if I put the rule of SSL/SSH Inspection to “No inspection” it works.
So, now I’m wondering why the rule has changed while updating.