locked
Intermittent problem authenticating to Office 365 Services using ADFS in Azure through a Checkpoint firewall RRS feed

  • Question

  • We have been having an intermittent problem with users trying to authenticate to Office 365 services using ADFS in Azure.  Using Microsoft Network Monitor, we have narrowed it down to the TLS handshaking between the redirected client and the ADFS server selected by the load balancer.  When the TLS Hello packets are sent the packets are intermittently dropped by the Checkpoint firewall (our best guess).  Moving the client to another IP address resolves the issue.  The problematic IP address eventually "heals" itself after a certain amount of time.  Question, has anyone else experienced this issue and, if so, what was done to resolve this root cause?
    Friday, January 15, 2016 4:08 PM

Answers

  • I have read through it and was a little weary of that setup. Our ADFS servers are in Azure and if I make a wrong move I could easily take down 350 users. I was hoping bgkilian would provide some feedback. He has had a few weeks to test out your proposals and find a solution.  If he doesn't respond soon I will attempt to proceed with the SNI.  Is this something you seen before?  I have also found that rebooting the firewall will resolve the issue...without having to issue a new IP.

    Thanks, TC


    Tuesday, February 16, 2016 3:35 PM

All replies

  • Did you try completely bypassing the Checkpoints? If that work, then we are on the wrong forum :)

    Do you have network traces that shows something fishy around the SSL handshake for example?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 19, 2016 9:05 PM
  • Yes, we do have network traces showing dropping of Server Hello packets during the initial TLS handshake between the client and ADFS server.  Working with Microsoft support, it has been determined that it is not an ADFS issue, but a network/Checkpoint issue.  I am certain this question is, indeed, in the wrong forum, but I thought someone here may have traveled this path, before.  I am working with our network team to help resolve this, but they are still coming up to speed on Checkpoint.  Our gateways were upgraded to R77.30 last week, which did have some fixes for Server Hello drops, but the original issue remains.
    Wednesday, January 20, 2016 5:40 PM
  • I have seen some issues with SNI and other SSL artifacts. Make sure the tunnel is not terminated by your network devices between the WAP and the ADFS servers.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, January 20, 2016 6:22 PM
  • Look like a SNI issue ...

    Check if Checkpoint is SNI Capable and see here for supported Reverse Proxy :
    https://technet.microsoft.com/en-us/library/dn607304.aspx#devices
    (for sharepoint in adfs context but it's the same).

    Consider using WebApplicationProxy for Office 365.
    checkpoint is your "client" here :
    http://blogs.technet.com/b/applicationproxyblog/archive/2014/06/19/how-to-support-non-sni-capable-clients-with-web-application-proxy-and-ad-fs-2012-r2.aspx


    Wednesday, January 20, 2016 6:36 PM
  • bgkilian, were you able to check on these?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, January 25, 2016 6:56 PM
  • bgkilian,

    We are experiencing the exact same problem.  We thought we would never find anything where someone else was experiencing this issue.  Please post back if you have found a fix or if anything suggested here helped.  Your help would be greatly appreciated.


    Thanks, TC

    Tuesday, February 16, 2016 1:50 PM
  • Trent, were you able to check the SNI part of it?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, February 16, 2016 2:25 PM
  • I have read through it and was a little weary of that setup. Our ADFS servers are in Azure and if I make a wrong move I could easily take down 350 users. I was hoping bgkilian would provide some feedback. He has had a few weeks to test out your proposals and find a solution.  If he doesn't respond soon I will attempt to proceed with the SNI.  Is this something you seen before?  I have also found that rebooting the firewall will resolve the issue...without having to issue a new IP.

    Thanks, TC


    Tuesday, February 16, 2016 3:35 PM