Saturday, May 2, 2020

upgrade to FGT 6.2.3 and issues with an office reaching our EMR and VMware View

Hi - we are a small hospital that recently upgraded our Fortigate firewall from 5.6.11 to 6.2.3. The upgrade went smoothly, albeit a couple minor issues, one being that our SSLVPN users couldn't reach our internal ADFS / SSO server due to a caveat in the new code, which tech support was able to remedy by enabling auxiliary session (https://docs.fortinet.com/document/fortigate/6.2.3/technical-tip-enabling-auxiliary-session-with-ecmp-or-sd-wan/19/fd47765)

However, one issue remains, and that is that a healthcare org that we closely work with is no longer able to reach our EMR (which is publicly accessible via a pub DNS record and SSL cert), as well as our VMware View connection server. Both of these should be reachable over 443, and from our firewall rules should be allowed in. I've confirmed I am able to publicly hit both from the internet, regardless of where I am, can access both on my smartphone for example, AND I can successfully access both via this healthcare org's PUBLIC wifi (seperate network).

But this healthcare org it seems to be timing out when navigating via https while on their wired and secure wifi network - the telnet port tests show connectivity over 443, but to me it seems like a TLS issue - their web browsers are showing "Cannot connect to this site securely". I don't have any control over this org but as far as their IE Security options go, they allow TLS 1.0, 1.1, and 1.2, but they're all grayed out due to GPO policy that I can't edit. They say they are allowing all 3 and I believe them based on what I see, but why can't they then hit our 2 sites on 443 securely?

The POC I worked with Friday said he whitelisted our domains with wildcard entries for our domain name on their webfilter, but I'm still skeptical. If I can reach these sites right now from my home machine, what would make this "our issue"? And I don't doubt that we have some part to play in it; the issue occurred following our firewall upgrade, so I am open to any insight or suggestions. Thanks!



No comments:

Post a Comment