Security alert popup for Autodiscover certificate when Outlook connecting to Office 365 hosted email account
Last Updated July 30, 2018
When Outlook is configured to use an email account that is hosted within Office 365, part of its connection process is a request to http://autodiscover.XXXXX.com or https://autodiscover.XXXXX.com (where XXXXX is the company domain, outlook, etc.). These requests will time out as these servers do not actually exist. When a ProxySG or Advanced Secure Gateway is deployed transparently these requests can be intercepted and processed. Depending on the ProxySG or Advanced Secure Gateway configuration, the requests for https://autodiscover.XXXXX.com might result in a security alert prompt to the client. Example:
This issue occurs because of how the ProxySG and Advanced Secure Gateway process the https://autodiscover.XXXXX.com request when the following is true:
Port 443 is set to intercept and the service type is SSL proxy. This means requests for https://autodiscover.XXXXX.com will be processed by SSL proxy.
SSL interception on exception is enabled (this is enabled by default on SGOS 6.2 and newer and all ASG versions).
The client does not trust the ProxySG's or Advanced Secure Gateway's certificate found in the Configuration->Proxy Settings->SSL Proxy->General Settings->Issuer keyring as a "Trusted Certificate Authority (CA)" in their browser.
The certificate found in the Configuration->Proxy Settings->SSL Proxy->General Settings->Issuer keyring has expired.
NOTE: 4 or 5 depending on if the security alert is about an untrusted issuer (4) or a date that is invalid (5).
When the ProxySG or Advanced Secure Gateway receives the request for https://autodiscover.XXXXX.com its attempts to contact this server will time out. This initiates the SSL interception on exception feature in which ProxySG or Advanced Secure Gateway will respond to the client with a server certificate issued by the Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring so that the SSL handshake can complete and an appropriate exception page can be shown. The security alert popup occurs during the SSL handshake because the client either does not trust the issuer of the server certificate or the date of the server certificate has expired.
The resolution of the security alert popup depends on the reason why the popup was generated:
If the security alert popup is about an untrusted issuer then steps must be taken to ensure the client trusts the certificate found in Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring as a trusted CA. This can be done by either changing this option to a keyring the client already trusts or follow the instructions at http://bluecoat.force.com/knowledgebase/articles/Solution/HowtoaddaProxySGCertificateintomyBrowser to install the certificate into the browser. For step one in that article the keyring used for SSL interception on exception is found at Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring.
If the security alert popup is about the date of the certificate expiring (ProxySG and Advanced Secure Gateway only store a certificate that is valid for 2 months) then first ensure that the keyring used is trusted by clients and has not expired. That keyring is specified in the Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring configuration. If the keyring has expired, create a new one: Default keyring has expired or is about to expire and specify it in the configuration mentioned previously. If the keyring has not expired then the certificate emulate, which is valid for 2 months, has been saved in certificate cache and has not been removed from cache because it is constantly being requested by clients. Flushing certificate cache will resolve this issue. Add Proxy SG certificate into my browser shows how to flush the certificate cache.
Imported Document ID: 000032460
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe