none
KB2585542 Security Update causing SSL VPN Issues

    Question

  • Hello all,

     

    I discovered last night if security update KB2585542 is installed on our Windows XP/7 machines, it won’t display our SSL VPN Login webpage.

    We use Fortinet Firewalls.

    After manually unistalling KB2585542 I was sucesfully able to view our SSL VPN Login Webpage.

    I have declined security update KB2585542 on all of our WSUS servers to decline this update getting pushed out to all of our machines.

    Is anyone else experiening this same type of SSL VPN issue?

     

    Cheers

    Tony


    Thursday, January 12, 2012 2:13 AM

Answers

  • Hi DrjonesUSA,

    We too have a 110C..

    For the few users that had this update installed I simply went into:

    Control Panel > All Control Panel Items > Programs and Features > View installed updates > Right clicked security update KB2585542 > Uninstall > Rebooted the machine

    If that didnt work I'd maybe suggest, uninstalling the FortiClient, Reset IE settings and re-install the FortiClient again.

    Hopefully Fortinet get a fix out soon!

     

    Cheers

    Tony

    Friday, January 20, 2012 2:55 AM

All replies

  • hello,

    maybe you can use Froti SSL VPN client to connect your Server,

    download here http://dekiwiki.ties2.net/Fortinet/Fortinet_SSL_VPN_Client_Installers

     

    BTW, my co-worker is try to connect to other VPN device(JXX) with KB2585542 update, will be ok to connect it!!

     

    cheers

    Ting



    • Edited by Ting-wu Thursday, January 12, 2012 6:43 AM vpn device
    Thursday, January 12, 2012 5:31 AM
  • You are right it definetly breaks the browser and client connection.

    Neither one would work after the update kb2585542 is applied.

    Thursday, January 12, 2012 6:40 AM
  • Ting-wu says other VPN device that is Juniper FW.

    After the update KB2585542, I use IE to try to connect my company's SSL VPN service and device(use port 443), only Forti SSL VPN can't open the login page, others are OK.


    • Edited by Derek Lai Thursday, January 12, 2012 7:15 AM
    Thursday, January 12, 2012 7:14 AM
  • We have the same issue on checkpoint SSL VPN.

    • Edited by vasisl Thursday, January 12, 2012 10:47 AM
    Thursday, January 12, 2012 10:46 AM
  • Same here.

    I have around 50 clients today that can't connect to our Checkpoint today.

    I asked to remove all updates that a client did yesterday, but was not enough. A system restore of 2 days before solved the issue.

     

    Now I'm scared of what will happens in next few days.

    Thursday, January 12, 2012 12:56 PM
  • Hello.

     

    Does anybody face these issues with Bitdefender Business Client installed? After installing security update KB2585542, log on to OS takes up to 15 minutes unless I set the firewall off in my Bitdefender.

     

    Thanks.


    Defender_13

    Thursday, January 12, 2012 3:26 PM
  • Running Checkpoint as well and running into the same issue. R70.40 SNX. XP and Windows7 have the same issue after installing.
    • Edited by btenney Thursday, January 12, 2012 8:26 PM
    Thursday, January 12, 2012 8:25 PM
  • Hi,

    I just received an information of support@companycrypt.com that a registry hack could help:

    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    • add new DWORD (32-bit) SendExtraRecord
    • Value 2

    Susanne

    • Proposed as answer by Nekbar Wednesday, March 21, 2012 4:13 PM
    Friday, January 13, 2012 11:39 AM
  • I forgot the ms article:

    see: http://support.microsoft.com/kb/2643584

    Susanne

    Friday, January 13, 2012 11:42 AM
  • We also use a FortiNet firewall (110C), and believe that this Microsoft update broke VPN for one user.

    We tried uninstalling the update, doing a system restore, and no luck.

    Any ideas on how to fix this?

    Tuesday, January 17, 2012 4:43 PM
  • Hello , All

    After checking the problem with checkpoint team we have found a solution to this problem

    to solve this problem  go to Policy > global properties > ssl network extender >
    (under supported encryption methods ) change the method from AES , 3DES to AES , 3DES , RC4 .

     



    • Edited by vasisl Wednesday, January 18, 2012 8:23 AM
    Wednesday, January 18, 2012 8:22 AM
  • Changing Encryption will not help on a Fortigate.  This problem is related to the self-signed certificate.  IE 7 - 9 and Chrome are both broke.

    Firefox is not affected by this issue and still works.  Fortinet recommends Generating a certificate and using that, but they said they are working on a solution.

    Thursday, January 19, 2012 3:26 AM
  • Hi DrjonesUSA,

    We too have a 110C..

    For the few users that had this update installed I simply went into:

    Control Panel > All Control Panel Items > Programs and Features > View installed updates > Right clicked security update KB2585542 > Uninstall > Rebooted the machine

    If that didnt work I'd maybe suggest, uninstalling the FortiClient, Reset IE settings and re-install the FortiClient again.

    Hopefully Fortinet get a fix out soon!

     

    Cheers

    Tony

    Friday, January 20, 2012 2:55 AM
  • Hi,

    if it can help.

    In the IE option, advanced, uncheck TLS 1.0 , for us it solve the issue.

    Checkpoint FW 1.

    Have a good day.

     

    Friday, January 20, 2012 7:08 AM
  • Quick update to this;  upgrading our checkpoint firewalls to R71 HFA 40 resolved it for us. 
    Friday, January 20, 2012 7:51 PM
  •  

    We are already using a generated commercial certificate.  It doesn't help on an FG1000A with version 4, latest patch release.  

    Using Firefox fixes the problem though.

    Based on that experience, the self signed certificate isn't the problem with IE and won't help fix this problem on IE 7-9.   

    Wednesday, January 25, 2012 6:06 PM
  • Fortinet released a customer support bulletin CSB-120117-1 that addresses this issue.  They have special builds of their firmware available for the fix or they recommend rolling back the security update.  I was able to work around this by disabling TLS 1.0 and enabling TLS 1.1 and TLS 1.2 on the Advanced tab of Internet Options in IE.
    Tuesday, January 31, 2012 7:18 PM
  • The update KB2585542 has to be hidden in the windows update or it will re-install the next time you reboot.
    Wednesday, February 01, 2012 3:40 AM
  • Hi,

    It's confirmed that kb2585542 will break the SSL VPN connection using IE,

    currently firefox 9.01 will still be able to use SSL VPN but the recent version 10, will too break SSL VPN.

    Your best bet will be using the Forticlient SSL VPN client which you might be able to download over the internet.

    Insert your server address : address:port, e.g. remote.mydns.com.sg:443. port number is very important here. you don't have to include https:// infront

    password : yourpassword

    and you will be able to connect.

    Hope this is able to give an alternative solution to your problem.

    Cheers,
    Lucas

    Monday, February 06, 2012 5:05 AM
  • Hi,

    We also have this problem with the last version of firefox. Uninstalling the update kb2585542 doesnt resolve the problem for firefox, but it should work for  IE 7-9.

     

    We need to solve the problem with firefox.

     

    any ideas? 

    Monday, February 06, 2012 2:32 PM
  • Hi,

    We also have this problem with the last version of firefox. Uninstalling the update kb2585542 doesnt resolve the problem for firefox, but it should work for  IE 7-9.

     

    We need to solve the problem with firefox.

     

    any ideas? 

    How about uncheck TLS 1.0 in the options?
    Monday, February 06, 2012 3:18 PM
  • For me unchecking TLS 1.0 didn't help

    Pavel

    Wednesday, February 08, 2012 7:13 AM
  • Hi All,

    I'm having the same problem after we are updated the patch KB2585542. we cannot access SSL VPN through I.E. it dosn't diplay webpay for login. I'm using Fortigate Firewall 300A.

    Do you have solution with remove patch KB2585542?


    Khemarin333@hotmail.com


    • Edited by khemarin Set Wednesday, February 08, 2012 7:54 AM
    Wednesday, February 08, 2012 7:50 AM
  • Hello all,

    After logging a ticket with Fortinet, this is the response I got back..
    Hope this helps all Fortinet users...

    Dear Customer,

    This email is to inform you that your ticket xxxxxx has been updated.

    Ticket Title: SSL login page error
    Ticket Status: Registered
    Updated by xxxxxxxx at 2/5/2012 8:05:59 PM
    This is a known issue, I have attached customer support bulletin to the ticket, please have a read and let me know if you have any questions.
    We have released FOS 4.3.5 public firmware on Jan 31st which contains this fix.
    If you require fix in 4.2 code or 4.1 code, please let me know.
    Thank you.

     

    Fortinet Customer SupportBulletin


    Subject: SSLVPN Connectivity Issue
    Product: All FortiGate models running

    Description of Issue:
    After installing a Microsoft security update users may no longer be able to connect to the SSLVPN
    portal on a FortiGate.This issue has been reported by users running Internet Explorer and Chrome
    browsers.
    Microsoft released an update to resolve a vulnerability found in SSL 3.0 and TLS 1.0, this is
    referenced in the Microsoft Security Bulletin MS12-006. This vulnerability could allow an attacker
    to intercept encrypted traffic.
    The change of behavior introduced with the Microsoft patch has resulted in an incompatibility with
    FortiOS SSLVPN implementation resulting in the failure for some clients to connect to the SSLVPN
    portal.

    Affected Products:
    All FortiGate models and software versions using the SSLVPN portal feature in combination with
    client workstations that are using Internet Explorer or Chrome browsers.

    Resolution:
    The immediate resolution for this issue is to roll back the Microsoft update as referenced in MS12-
    006.
    Details of the Microsoft security bulletin can be found on the following web page:
    http://technet.microsoft.com/en-us/security/bulletin/ms12-006
    Fortinet will produce an update to FortiOS to restore the compatibility with systems that have
    been updated with the Microsoft patch. A special build of software will be available “on demand”
    from a Fortinet support center from Friday 20th January, the enhancement will also be included in
    all future patch releases for GA release.

    Technical Support Contact Information:
    Fortinet technical support home page: https://support.fortinet.com

    Thursday, February 09, 2012 7:39 AM
  • Thursday, February 09, 2012 8:33 AM
  • Hi Tony, I was facing same problem. I've manually removed Window update KB2585542 & resolved the same.

    Thanks,


    Jatin Purohit Ahmedabad-India


    Thursday, February 09, 2012 11:01 AM
  • Hi,

    I just received an information of support@companycrypt.com that a registry hack could help:

    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    • add new DWORD (32-bit) SendExtraRecord
    • Value 2

    Susanne


    We had the same issues in our environment with certain certificate authenticated websites over SSL.  Winxp 32-64 WIN7 32-64. Uninstalling the patch fixed the issue however, we are required to have this patch on our machines. After reinstalling it broke the sites again but pushing this registry change through group policy solved our problems and allowed the patch to remain on our machines.
    • Proposed as answer by Robbie1 Thursday, March 06, 2014 10:26 PM
    Friday, February 17, 2012 9:21 PM
  • This solved our issue with Checkpoint SSL VPN, on all Windows versions

    Thanks

    Wednesday, February 29, 2012 11:28 AM
  • Disabling TLS 1.0 and enabling TLS 1.1 and TLS 1.2 works well. Thanks
    Friday, March 02, 2012 4:10 PM
  • Hello all,

    We've been monitoring several of the compatibility issues related to MS12-006 and have worked with the Microsoft Security Research and Defense team to update a blog post consolidating content about what the vulnerability is, how the update mitigates the vulnerability, and links to several FixIt's designed to help quickly automate workarounds.  If you are running into an issue after applying this update, please review the blog and use the FixIt's to help quickly diagnose a compatibility problem.

    http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx

    Monday, March 19, 2012 7:20 PM
  • Thank you very much. That works.

    Wednesday, March 21, 2012 4:13 PM
  • It will work with uncheking TLS 1.0 In the IE option, advanced, But better to do the Fortinet firmware update to version 4.3.5

    Microsoft TechNet Forum Bandara

    Wednesday, May 09, 2012 3:04 AM
  • I am having the same issue with Cisco SSL VPN since the latest update as well.

    Friday, May 18, 2012 1:27 PM
  • Hello all,

     

    I discovered last night if security update KB2585542 is installed on our Windows XP/7 machines, it won’t display our SSL VPN Login webpage.

    We use Fortinet Firewalls.

    After manually unistalling KB2585542 I was sucesfully able to view our SSL VPN Login Webpage.

    I have declined security update KB2585542 on all of our WSUS servers to decline this update getting pushed out to all of our machines.

    Is anyone else experiening this same type of SSL VPN issue?

     

    Cheers

    Tony


    i logged in just to thank you for this post. it too caused problems for us.

    • Proposed as answer by rino19ny Thursday, May 31, 2012 4:48 PM
    Thursday, May 31, 2012 4:48 PM
  • Thanks a Lot Susanne-I managed to login to to my SSl VPN.
    • Proposed as answer by Suhail.H Friday, September 14, 2012 3:26 AM
    • Unproposed as answer by Suhail.H Friday, September 14, 2012 3:26 AM
    Friday, September 14, 2012 3:26 AM
  • I have been having issues where I cannot open my Sharepoint 2007 documents in Word or Excel when I work from home using FortiClient VPN SSL.  Tried several things I read but nothing worked.  Finally I installed firefox on my laptop and it works!
    Wednesday, October 17, 2012 4:23 PM
  • Hi,

    Thanks for your information ..

    Similar issue I am facing in windows 8 and win7 home edition ,  Does anybody face these issuesany idea abut this ..

    We use Fortinet Firewalls

    Windows enterprise systems after manually uninstalling KB2585542 I was successfully able to use our SSL VPN with forti client but not able to connect through web portal .

     Rgds, Jaice


    Thursday, November 15, 2012 10:42 AM
  • Thank you, Prestonious. This works without having to rolling back the update.
    Thursday, December 06, 2012 2:40 AM