I am currently trialling Duo for my company and so far we like the product. One issue I am struggling with is certificates.
We have the Microsoft RDP client installed and working nicely 2FA’ing test users via push notifications on their iPhones. We have a feature on our Firewall to enable SSL deep packet inspection which has just been enabled (description below)
When full SSL inspection is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. The FortiGate then re-encrypts the content, creates a new SSL session between the FortiGate and the recipient by impersonating the sender, and sends the content to the sender.
With this enabled, when the push notification is sent to an iPhone (on the WiFi) using the deep packet policy, the error ‘Invalid Certificate, The Certificate provided is invalid’ displays on the iPhone. I can bypass URLs for this feature of our firewall - What URLs should I white-list? I have tried white listing *.duosecurity.com but this doesn’t work and am not sure what URLs are used for incoming push notifications on the certificate.
Any suggestions on what URL I should be exempting?