Fortigate Firewalls and Desktop Share Failure
January 05, 2015

I recently ran into a problem with Desktop Sharing and Lync. Typically, I start all of these troubleshooting sessions by looking at the common issues: certs, DNS, etc. but in this case I knew who to blame. Me!
I recently installed a new firewall into the environment: A Fortigate 50b. Before we get to the specific fix lets review what was and wasn’t working.
- Presence worked both ways
- IM’s worked both ways
- Audio/Video worked both ways
- Desktop Share would fail on setup
With this knowledge, I could start making some very good guesses of what might be happening. Since Desktop Share utilizes TCP exclusively and Audio/Video uses UDP, I had a good guess that the problem lied somewhere in the TCP stack on the firewall.
So my next step was to review a client trace to see if there was anything in the client trace that would point me to any more specific information. A review of the SDP showed this:
The workstation I am running the client on has two NIC’s (one wired and one wireless) so we see both of those IP’s listed but you will notice a lack of any relay/edge addresses. So we can see that somewhere in the process of the TURN request, something was deleting, removing, preventing the TURN request. Since this is a TCP request, we know the request is going out on 443.
So I decided to start poking around the Fortigate and see if there was any type of TCP/443 filtering that might be enabled and I found Unified Threat Management (UTM). After I got over the shivers of the name I decided to disable UTM on my firewall policy. My client network is VLAN4 on my Fortigate so I disabled UTM on VLAN 4 to WAN 1:
After the change, I immediately tested my desktop share and it was working. At this point, I started disabling each option one at a time to discover the issue was related to the Protocol Options being enabled. So I looked at the details this can be found in Firewall | Policy | Protocol Options:
My attention went immediately to the HTTPS section. I found that if I disabled Monitor Content Information for Dashboard, Desktop Share starts to work immediately.
More Details
When I ran into this problem I knew this might be one of those issues that might make a great blog article. So I did some quick searching and found this blog article:
http://silbers.net/blog/2013/02/04/application-layer-firewall-blocks-lync-application-sharing/
So although I started a blog post with some pretty WireShark images – I try to never double up another persons content. As my old debate coach would say: “Stealing content just isn’t cool, dude!” So if you want some more great content, go read Jeremy Silber’s blog on the topic.