I just recently ran into this issue with a customer and I figured that I would post more on this so others could benefit.
Here is the information about the Microsoft Lync software (non-McAfee links):
The key issue is that the Microsoft Lync client is sending keep-alive information which is outside of the normal proxy timeout configuration for long running connections. The Web Gateway by default will end log running connections that we have not received a response back for within 120 seconds by default.
Since the KB for Lync states that this needs to be adjusted to 5-15min, you can change this value in your bypass rule configuration. The bypass rule should be put in place in the top level of the SSL Scanner as this traffic will break if passed through the SSL Scanner anyways.
The rule I built for this looks like the following;
In turn the list information is configured using our subscribed list content from McAfee so that there is less administrative overhead to maintain this content;
If you hit the "Choose" button, there will be two important lists for the bypass;
- Hosted Lync IP Ranges
- Hostes Lync Hosts
Then after configuring the rule with the Stop Ruleset action, you will want to go into the "Events" section and add the event "Enable Proxy Control". Then you will want to both enable and adjust the following to add on the extended timeout for the connections over the Microsoft IPs and Hosts for Lync.
On an additional note, since this bypass is in the top level of the SSL Scanner and the SSL Scanner rule is above authentication for this configuration, I do not have the properties for "Authentication.Username" or "Authentication.UserGroup" filled. This makes things more difficult for reporting reasons, so in turn without having to make too many changes, the "Event" can be added for "Set Property Value" which we configured to "Authentication.Username" and then defined the string value of "SSLBypassMSLync" so that this can be seen as the username of this traffic on the Web Reporter.
The only recommended caution to point out is that overwriting property values can cause issues if executed in the incorrect area as this could overwrite what is stored in the property value. So do not add this onto the rule if you are using an authentication rule before this bypass rule. If this is going to be an issue, you could configure the logging on the Web Gateway to put the property "Rule.CurrentRule.Name" into the writing of the access.log or set a user-defined value.
For more information on the custom logging configuration on the Web Gateway, please reference the following;
The symptom that lead to this was the consistent timeout or closing of the Lync client forcing the end user to log back in.
Any additional input is welcome....