Fortigate Firewalls and Desktop Share Failure

January 05, 2015

I recently ran into a problem with Desktop Sharing and Lync.  Typically, I start all of these troubleshooting sessions by looking at the common issues: certs, DNS, etc. but in this case I knew who to blame.  Me!

I recently installed a new firewall into the environment: A Fortigate 50b.  Before we get to the specific fix lets review what was and wasn’t working.

  • Presence worked both ways
  • IM’s worked both ways
  • Audio/Video worked both ways
  • Desktop Share would fail on setup

With this knowledge, I could start making some very good guesses of what might be happening.  Since Desktop Share utilizes TCP exclusively and Audio/Video uses UDP, I had a good guess that the problem lied somewhere in the TCP stack on the firewall.

So my next step was to review a client trace to see if there was anything in the client trace that would point me to any more specific information.  A review of the SDP showed this:

The workstation I am running the client on has two NIC’s (one wired and one wireless) so we see both of those IP’s listed but you will notice a lack of any relay/edge addresses.  So we can see that somewhere in the process of the TURN request, something was deleting, removing, preventing the TURN request.  Since this is a TCP request, we know the request is going out on 443.

So I decided to start poking around the Fortigate and see if there was any type of TCP/443 filtering that might be enabled and I found Unified Threat Management (UTM).  After I got over the shivers of the name I decided to disable UTM on my firewall policy.  My client network is VLAN4 on my Fortigate so I disabled UTM on VLAN 4 to WAN 1:

After the change, I immediately tested my desktop share and it was working.  At this point, I started disabling each option one at a time to discover the issue was related to the Protocol Options being enabled.  So I looked at the details this can be found in Firewall | Policy | Protocol Options:

My attention went immediately to the HTTPS section.  I found that if I disabled Monitor Content Information for Dashboard, Desktop Share starts to work immediately.

More Details

When I ran into this problem I knew this might be one of those issues that might make a great blog article.  So I did some quick searching and found this blog article:

http://silbers.net/blog/2013/02/04/application-layer-firewall-blocks-lync-application-sharing/

So although I started a blog post with some pretty WireShark images – I try to never double up another persons content.  As my old debate coach would say: “Stealing content just isn’t cool, dude!”  So if you want some more great content, go read Jeremy Silber’s blog on the topic.

 


Richard

Written by Richard Richard is an Office Apps & Services MVP (Teams / Skype) who lives in Minneapolis, MN. Microsoft Certified Solutions Master (MCSM) and MCSM Instructor - when those were a thing long ago. When not writing code, breaking teams - debate coach and avid golfer.
Follow on Twitter

Built using Gatsby and Material-UI

Copyright © TheArgyleMVP 2022.