Fortigate Firewalls and Desktop Share Failure

I recently ran into a problem with Desktop Sharing and Lync.  Typically, I start all of these troubleshooting sessions by looking at the common issues: certs, DNS, etc. but in this case I knew who to blame.  Me!

I recently installed a new firewall into the environment: A Fortigate 50b.  Before we get to the specific fix lets review what was and wasn’t working.

  • Presence worked both ways
  • IM’s worked both ways
  • Audio/Video worked both ways
  • Desktop Share would fail on setup

With this knowledge, I could start making some very good guesses of what might be happening.  Since Desktop Share utilizes TCP exclusively and Audio/Video uses UDP, I had a good guess that the problem lied somewhere in the TCP stack on the firewall.

So my next step was to review a client trace to see if there was anything in the client trace that would point me to any more specific information.  A review of the SDP showed this:

The workstation I am running the client on has two NIC’s (one wired and one wireless) so we see both of those IP’s listed but you will notice a lack of any relay/edge addresses.  So we can see that somewhere in the process of the TURN request, something was deleting, removing, preventing the TURN request.  Since this is a TCP request, we know the request is going out on 443.

So I decided to start poking around the Fortigate and see if there was any type of TCP/443 filtering that might be enabled and I found Unified Threat Management (UTM).  After I got over the shivers of the name I decided to disable UTM on my firewall policy.  My client network is VLAN4 on my Fortigate so I disabled UTM on VLAN 4 to WAN 1:

After the change, I immediately tested my desktop share and it was working.  At this point, I started disabling each option one at a time to discover the issue was related to the Protocol Options being enabled.  So I looked at the details this can be found in Firewall | Policy | Protocol Options:

My attention went immediately to the HTTPS section.  I found that if I disabled Monitor Content Information for Dashboard, Desktop Share starts to work immediately.

More Details

When I ran into this problem I knew this might be one of those issues that might make a great blog article.  So I did some quick searching and found this blog article:

http://silbers.net/blog/2013/02/04/application-layer-firewall-blocks-lync-application-sharing/

So although I started a blog post with some pretty WireShark images – I try to never double up another persons content.  As my old debate coach would say: “Stealing content just isn’t cool, dude!”  So if you want some more great content, go read Jeremy Silber’s blog on the topic.

 

Share

3 comments on “Fortigate Firewalls and Desktop Share Failure”

  1. Pingback: Weekly IT Newsletter – January 5-9, 2015 | Just a Lync Guy

  2. Pingback: NeWay Technologies – Weekly Newsletter #129 – January 8th, 2014 | NeWay

  3. Pingback: NeWay Technologies – Weekly Newsletter #129 – January 9th, 2014 | NeWay

Leave a Reply

Your email address will not be published. Required fields are marked *