A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

Amazon WorkSpaces and SSL Errors with Deep Packet Inspection

, , ,

I was recently doing a new FortiGate deployment for a customer and one of the requirements included setting up Deep Packet SSL Inspection for their users. The customer already has an Internal CA so we generated a certificate for the FortiGate to use for encryption and clients already trusted the certificate as it was part of their Active Directory deployment. During UAT we found that their VDI solution, Amazon WorkSpaces – wouldn’t connect for their end users if their traffic was going through a Firewall policy that had SSL Deep Packet Inspection, so I’ve documented the process of adding the required exceptions here.

A quick search revealed some documentation, I found here outlining all the required connection FQDN URLs, IP Addresses and Ports you need to allow through your Firewall. Based off of that list AWS provide and working out the region we have the deployment in, we then need to create a number of Address Objects and then an Address Group to keep them all together.

So go to Policy & Objects > Addresses and then create an Address Object for each of the fqdn/IP Addresses that cover your Amazon WorkSpaces region/deployment.

Since we’re dealing with quite a number of objects, you can also use the CLI to create them, something similar to the below – changing the FQDN for the right URLs specified by AWS for you in the link provided. I have also anonymised some of the entries (auth endpoints) – so again, make sure you review this list!

config firewall address    
	edit "WorkSpaces Connectivity Check"
        set type fqdn
        set fqdn "connectivity.amazonworkspaces.com"
    next
    edit "WorkSpaces Client Metrics"
        set type fqdn
        set fqdn "skylight-client-ds.ap-southeast-2.amazonaws.com"
    next
    edit "WorkSpaces Dynamic Messaging"
        set type fqdn
        set fqdn "ws-client-service.ap-southeast-2.amazonaws.com"
    next
    edit "WorkSpaces Dir Auth"
        set type fqdn
        set fqdn "d32i4gd7xxxx.cloudfront.net"
    next
    edit "WorkSpaces Customer Dir Auth"
        set type fqdn
        set fqdn "d21ui22axxxx.cloudfront.net"
    next
    edit "WorkSpaces Customer Auth Media"
        set type fqdn
        set fqdn "dodwxjr2xxxx.cloudfront.net"
    next
    edit "WorkSpaces Forrester Log Service"
        set type fqdn
        set fqdn "fls-na.amazon.com"
    next
    edit "WorkSpaces Broker"
        set type fqdn
        set fqdn "ws-broker-service.ap-southeast-2.amazonaws.com"
    next
    edit "WorkSpaces API Endpoint 1"
        set type fqdn
        set fqdn "workspaces.ap-southeast-1.amazonaws.com"
    next
	    edit "WorkSpaces Health Check DRP"
        set type fqdn
        set fqdn "drp-syd.amazonworkspaces.com"
    next
    edit "WorkSpaces Smart Card Auth Endpoints"
        set type fqdn
        set fqdn "smartcard.ap-southeast-2.signin.aws"
    next
    edit "WorkSpaces WS Broker 1"
        set type fqdn
        set fqdn "ws-broker-service.ap-southeast-1.amazonaws.com"
    next
    edit "WorkSpaces WS Broker 2"
        set type fqdn
        set fqdn "ws-broker-service.ap-southeast-2.amazonaws.com"
    next
    edit "WorkSpaces API Endpoint 2"
        set type fqdn
        set fqdn "workspaces.ap-southeast-2.amazonaws.com"
    end

We can then use the CLI again to create an Address Group for all those Address objects we created. 

config firewall addrgrp
    edit "Amazon WorkSpaces"
        set member "WorkSpaces API Endpoint 1" "WorkSpaces API Endpoint 2" "WorkSpaces Broker" "WorkSpaces Client Metrics" "WorkSpaces Connectivity Check" "WorkSpaces Dynamic Messaging" "WorkSpaces Forrester Log Service" "WorkSpaces Health Check DRP" "WorkSpaces WS Broker 1" "WorkSpaces WS Broker 2"
    next
end

Once done we can go into Policy & Objects > Firewall Policy and find the Policy that affects our users and performs the SSL inspection. We then edit the SSL Inspection profile, in this case custom-deep-inspection and in the Except from SSL Inspection section, we add the Address Group we created earlier, in this case Amazon WorkSpaces.

Once you click OK twice the policy applies, and users should begin to have their traffic expect from SSL inspection for those services.

And there you have it – you can use the process for any other service (such as ConnectWise Control) or website that you find doesn’t play nice with Deep Packet SS:L Inspection and the client-server connection requires a valid certificate.

Leave a Reply

More Posts

How to Fix being unable to add, edit or delete domain controllers in the Domain Controllers Computer Set on Microsoft TMG or ISA 2006

There seems to be a bug in Microsoft’s TMG (Threat Management Gateway) / ISA 2006 (Internet Security and Acceleration Server) that once installed and configured, prevents an administrator from modifying the entries in the Domain Controllers Computer Set.  This Computer set is used in a number of System Policies and if you ever do an IP […]

Fix FortiGate HA out of sync

Sometimes after performing a Firmware upgrade on FortiGate HA pairs, I find that after sometime the cluster still stays out of sync and won’t synchronise. I usually find this is because the checksums of the config files on each or some members are different. To quickly check if this is the case, fire up the […]

Enable the Intel 82579V Giagbit NIC on Server 2016

An old draft I’ve had for a while, just posting for posterity and safe keeping. So I’ve done a few upgrades to my VM Host machine and decided to go up to Windows Server 2016, once installed and at the desktop, I found my onboard LAN port wasn’t coming up, so I downloaded the driver […]