This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web appliance kills FedEx Shipping Manager Software, Office 365 Activation and Postage Machine

A variation of this question was asked last September with no solution.  I would like to expand the question and I have opened a case online regarding it.

I have been forced to disconnect our VM Web Appliance due to the following issues:

  • It prevents FedEx Shipping Manager Software from communicating with its servers
  • It prevents our postage PC from communicating with its servers
  • It prevents Office 365 Clients from activating their licenses.

All http and https traffic is routed through the virtual web appliance. These issues started soon thereafter. Disconnecting the web appliance from the network allowed our Sonicwall firewall to bypass it and these items all started working again.

Putting domain names like fedex.com in the globally allowed domains section of the web appliance still prevented communication with the fedex servers.

Here is some information from fedex:

2.Port 443 must be open. FSM communicates to the FedEx tunnel server on 443. Connections to other websites may use port 80 (standard) or 443 (secure).


3.The DNS address and port of Tunnel Gateway Server is: cafegip.ts.dmz.fedex.com:443

IP addresses for the tunnel server cluster are:

199.81.216.140 (sni-vip3.dmz.fedex.com)

199.81.216.60 (sni-vip4.dmz.fedex.com )

204.135.8.17 (sni-vip5.dmz.fedex.com)

204.135.8.16 (sni-vip6.dmz.fedex.com)

Note: All addresses use port 443. Customers firewall must be open for these IP’s for SSL traffic over port 443..

Note: Subnet mask is 255.255.255.0..


For Office 365, this site: ols.officeapps.live.com/.../OlsClient.svc must be contacted by the client. The web appliance interferes with that.

Please advise on workarounds other than turning the entire unit off.



This thread was automatically locked due to age.
Parents
  • Hi Adam,

    The issues you speak about generally occur then you have Certificate Validation and/or HTTPS Scanning enabled.

    The FedEx app fails because they don't have proper certificates on their servers. If you query one of the servers, such as sni-vip3.dmz.fedex.com, the certificate the server sends back has a CN of sniTunnel.fedex.com and none of the alternative names on the certificate match the requested FQDN; thus certificate validation fails and the request is blocked.

    We recently updated our Microsoft certificates on the Web Appliances to include some newer ones they use, so make sure you are on version 4.2 As well, I know that some of the Microsoft requests do byte range requests which means they can't be scanned by the AV. To bypass the AV, you will need to added the FQDNs to the Local Site List and set them as "Trusted". You can also avoid doing AV scanning on items inside the HTTPS tunnel by added the requests to the HTTPS Scanning Exemptions List.

    As for the Postage Machine, we would need more information to troubleshoot. I would recommend calling support for some assistance with that.

    Petr.
Reply
  • Hi Adam,

    The issues you speak about generally occur then you have Certificate Validation and/or HTTPS Scanning enabled.

    The FedEx app fails because they don't have proper certificates on their servers. If you query one of the servers, such as sni-vip3.dmz.fedex.com, the certificate the server sends back has a CN of sniTunnel.fedex.com and none of the alternative names on the certificate match the requested FQDN; thus certificate validation fails and the request is blocked.

    We recently updated our Microsoft certificates on the Web Appliances to include some newer ones they use, so make sure you are on version 4.2 As well, I know that some of the Microsoft requests do byte range requests which means they can't be scanned by the AV. To bypass the AV, you will need to added the FQDNs to the Local Site List and set them as "Trusted". You can also avoid doing AV scanning on items inside the HTTPS tunnel by added the requests to the HTTPS Scanning Exemptions List.

    As for the Postage Machine, we would need more information to troubleshoot. I would recommend calling support for some assistance with that.

    Petr.
Children
  • Thanks for your excellent reply. I spoke with one of your higher level support colleagues earlier today and your answer is almost exactly the same as his. Turned of Certificate Validation - and then the FedEx app worked. The reason is as you said - one of the Fedex certs is actually not quite correct, which is why the appliance was blocking it. And, yes, we had to add a few msft sites to the local site list as "trusted." I was using "globally allowed" which was incorrect. Still need to test a few more things, but it's much better now.

    Adam in DC