Showing results for 
Search instead for 
Did you mean: 
Level 8

Microsoft Lync SSL Bypass and Timeout Adjustment


I just recently ran into this issue with a customer and I figured that I would post more on this so others could benefit.

Here is the information about the Microsoft Lync software (non-McAfee links):

You can't connect to Lync Online, or certain features don't work, because an on-premises firewall bl...

An update is available to increase the range of the white space keep alive time intervals that Lync ...

The key issue is that the Microsoft Lync client is sending keep-alive information which is outside of the normal proxy timeout configuration for long running connections.  The Web Gateway by default will end log running connections that we have not received a response back for within 120 seconds by default.

Since the KB for Lync states that this needs to be adjusted to 5-15min, you can change this value in your bypass rule configuration.  The bypass rule should be put in place in the top level of the SSL Scanner as this traffic will break if passed through the SSL Scanner anyways.

The rule I built for this looks like the following;


In turn the list information is configured using our subscribed list content from McAfee so that there is less administrative overhead to maintain this content;

Hosted List.jpg

If you hit the "Choose" button, there will be two important lists for the bypass;

  • Hosted Lync IP Ranges
  • Hostes Lync Hosts

Then after configuring the rule with the Stop Ruleset action, you will want to go into the "Events" section and add the event "Enable Proxy Control".  Then you will want to both enable and adjust the following to add on the extended timeout for the connections over the Microsoft IPs and Hosts for Lync.

Extended Timeout.jpg

On an additional note, since this bypass is in the top level of the SSL Scanner and the SSL Scanner rule is above authentication for this configuration, I do not have the properties for "Authentication.Username" or "Authentication.UserGroup" filled.  This makes things more difficult for reporting reasons, so in turn without having to make too many changes, the "Event" can be added for "Set Property Value" which we configured to "Authentication.Username" and then defined the string value of "SSLBypassMSLync" so that this can be seen as the username of this traffic on the Web Reporter.

The only recommended caution to point out is that overwriting property values can cause issues if executed in the incorrect area as this could overwrite what is stored in the property value.  So do not add this onto the rule if you are using an authentication rule before this bypass rule.  If this is going to be an issue, you could configure the logging on the Web Gateway to put the property "Rule.CurrentRule.Name" into the writing of the access.log or set a user-defined value.

For more information on the custom logging configuration on the Web Gateway, please reference the following;

The symptom that lead to this was the consistent timeout or closing of the Lync client forcing the end user to log back in.

Any additional input is welcome....

0 Kudos
2 Replies
Level 9

Re: Microsoft Lync SSL Bypass and Timeout Adjustment

Skype for Business may require an additional host to be whitelisted for it to work. You would just need to add criteria to your current rule for The criteria being added would be:

URL.Host matches

The total rule would look something like this:

Url.Destination.IP matches in list Microsoft Lync IPs

or Url.Host matches in list Microsoft Lync Hosts

or Url.Host matches

0 Kudos
Level 7

Re: Microsoft Lync SSL Bypass and Timeout Adjustment


  • Isn't that knob for CONNECT timeout?
  • In which cycle have you done it? Both or Request?

Thank you in advance

0 Kudos