Blog Home
Printer Friendly Version
Views: 11708

Fortinet SSLVPN Breaks After SSL/TLS Security Patch

Last Updated: 2/10/12

Per Customer Support Bulletin CSB-120117-1:

Description of Issue: 
After installing a Microsoft security update users may no longer be able to connect to the SSLVPN 
portal on a FortiGate. This issue has been reported by users running Internet Explorer, Firefox 10.0 
and Chrome browsers. 
Microsoft released an update to resolve a vulnerability found in SSL 3.0 and TLS 1.0, this is 
referenced in the Microsoft Security Bulletin MS12-006. This vulnerability could allow an attacker to 
intercept encrypted traffic. 
The change of behavior introduced with the Microsoft patch has resulted in an incompatibility with 
FortiOS SSLVPN implementation resulting in the failure for some clients to connect to the SSLVPN 
portal. 

Affected Products: 
All FortiGate models and software versions using the SSLVPN portal feature in combination with 
client workstations that are using Internet Explorer, Chrome or Firefox 10.0 browsers. 

Resolution: 
The immediate resolution for this issue is to roll back the Microsoft update as referenced in MS12- 
006. 

Details of the Microsoft security bulletin can be found on the following web page: 
http://technet.microsoft.com/en-us/security/bulletin/ms12-006 

Fortinet will produce an update to FortiOS to restore the compatibility with systems that have been 
updated with the Microsoft patch. A special build of software will be available "on demand" from a 
Fortinet support center from Friday 20th January, the enhancement will also be included in all future 
patch releases for GA release. 


Work Around #1: Use a non Internet Explorer browser that is a least one version old (ex: Firefox 9.0)

Work Around #2: 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL] 
"SendExtraRecord"=dword:00000002 


Forum threads discussing this topic:
http://support.fortinet.com/forum/tm.asp?m=80256

To solve this problem, my understanding is that you must be at FortiOS version 4.2.11 or 4.3.5 or higher. All prior versions are affected and must use a work around. There is also a special release of 4.2.x that will fix the problem. Here is the exact build info: v4.0,build3118,120117 (MR2)




Keywords: Fortinet, Fortigate, MS12-006, SSLVPN, TCP reset, connection reset, Internet explorer, firefox