2 Replies Latest reply on Jul 21, 2017 10:02 AM by moghaddas

    Microsoft Lync SSL Bypass and Timeout Adjustment

      Hello,

       

      I just recently ran into this issue with a customer and I figured that I would post more on this so others could benefit.

       

      Here is the information about the Microsoft Lync software (non-McAfee links):

      You can't connect to Lync Online, or certain features don't work, because an on-premises firewall blocks the connection

      An update is available to increase the range of the white space keep alive time intervals that Lync Server 2010 allows

       

       

      The key issue is that the Microsoft Lync client is sending keep-alive information which is outside of the normal proxy timeout configuration for long running connections.  The Web Gateway by default will end log running connections that we have not received a response back for within 120 seconds by default.

       

      Since the KB for Lync states that this needs to be adjusted to 5-15min, you can change this value in your bypass rule configuration.  The bypass rule should be put in place in the top level of the SSL Scanner as this traffic will break if passed through the SSL Scanner anyways.

       

       

      The rule I built for this looks like the following;

      LyncSSLBypass.jpg

      In turn the list information is configured using our subscribed list content from McAfee so that there is less administrative overhead to maintain this content;

       

      Hosted List.jpg

       

      If you hit the "Choose" button, there will be two important lists for the bypass;

      • Hosted Lync IP Ranges
      • Hostes Lync Hosts

       

      Then after configuring the rule with the Stop Ruleset action, you will want to go into the "Events" section and add the event "Enable Proxy Control".  Then you will want to both enable and adjust the following to add on the extended timeout for the connections over the Microsoft IPs and Hosts for Lync.

       

      Extended Timeout.jpg

       

      On an additional note, since this bypass is in the top level of the SSL Scanner and the SSL Scanner rule is above authentication for this configuration, I do not have the properties for "Authentication.Username" or "Authentication.UserGroup" filled.  This makes things more difficult for reporting reasons, so in turn without having to make too many changes, the "Event" can be added for "Set Property Value" which we configured to "Authentication.Username" and then defined the string value of "SSLBypassMSLync" so that this can be seen as the username of this traffic on the Web Reporter.

       

      The only recommended caution to point out is that overwriting property values can cause issues if executed in the incorrect area as this could overwrite what is stored in the property value.  So do not add this onto the rule if you are using an authentication rule before this bypass rule.  If this is going to be an issue, you could configure the logging on the Web Gateway to put the property "Rule.CurrentRule.Name" into the writing of the access.log or set a user-defined value.

       

      For more information on the custom logging configuration on the Web Gateway, please reference the following;

      WR: How to Add a Log Column in Webgateway and How to Report on it Using Web Reporter

       

      The symptom that lead to this was the consistent timeout or closing of the Lync client forcing the end user to log back in.

       

      Any additional input is welcome....