When Outlook is configured to use an email account that is hosted within Office 365, part of its connection process is a request to http://autodiscover.XXXXX.com or https://autodiscover.XXXXX.com (where XXXXX is the company domain, outlook, etc.). These requests time out as these servers do not actually exist. When a ProxySG or Advanced Secure Gateway is deployed transparently these requests can be intercepted and processed.
Depending on the ProxySG or Advanced Secure Gateway configuration, the requests for https://autodiscover.XXXXX.com might result in a security alert prompt to the client. For example:
This issue occurs because of how ProxySG and Advanced Secure Gateway process the https://autodiscover.XXXXX.com request when the following is true:
When the ProxySG or Advanced Secure Gateway receives the request for https://autodiscover.XXXXX.com, attempts to contact this server time out. This initiates the SSL interception on exception feature in which ProxySG or Advanced Secure Gateway responds to the client with a server certificate issued by the Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring so that the SSL handshake can complete and an appropriate exception page can be shown.
The security alert occurs during the SSL handshake because the client either does not trust the issuer of the server certificate, or the date of the server certificate has expired.
The resolution of the security alert popup depends on the reason why the popup was generated:
You must take steps to ensure that the client trusts the certificate found in Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring (as a trusted CA). To do this, either change this option to a keyring the client already trusts, or see Add Proxy SG certificate into my browser to install the certificate into the browser.
Note: In step one of teh TECH241928 article, the keyring used for SSL interception on exception is found at Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring.
Note: ProxySG and Advanced Secure Gateway only store a certificate that is valid for 2 months
Ensure that the keyring used is trusted by clients and has not expired. That keyring is specified in the Configuration > Proxy Settings > SSL Proxy > General Settings > Issuer keyring configuration.
If the keyring has expired, create a new one, and specify it in the configuration mentioned previously. See Default keyring has expired or is about to expire for more information.
If the keyring has not expired, then the certificate emulate, which is valid for 2 months, has been saved in certificate cache and has not been removed from cache because it is constantly being requested by clients. Flushing certificate cache will resolve this issue. Add Proxy SG certificate into my browser shows how to flush the certificate cache.