KB2585542 Security Update causing SSL VPN Issues
You are right it definetly breaks the browser and client connection. Neither one would work after the update kb2585542 is applied.
January 12th, 2012 1:40am

You are right it definetly breaks the browser and client connection. Neither one would work after the update kb2585542 is applied.
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2012 1:40am

Hello all, I discovered last night if security update KB2585542 is installed on our Windows XP/7 machines, it won’t display our SSL VPN Login webpage. We use Fortinet Firewalls. After manually unistalling KB2585542 I was sucesfully able to view our SSL VPN Login Webpage. I have declined security update KB2585542 on all of our WSUS servers to decline this update getting pushed out to all of our machines. Is anyone else experiening this same type of SSL VPN issue? Cheers Tony
January 12th, 2012 5:13am

Same here. I have around 50 clients today that can't connect to our Checkpoint today. I asked to remove all updates that a client did yesterday, but was not enough. A system restore of 2 days before solved the issue. Now I'm scared of what will happens in next few days.
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2012 7:56am

Same here. I have around 50 clients today that can't connect to our Checkpoint today. I asked to remove all updates that a client did yesterday, but was not enough. A system restore of 2 days before solved the issue. Now I'm scared of what will happens in next few days.
January 12th, 2012 7:56am

hello, maybe you can use Froti SSL VPN client to connect your Server, download here http://dekiwiki.ties2.net/Fortinet/Fortinet_SSL_VPN_Client_Installers BTW, my co-worker is try to connect to other VPN device(JXX) with KB2585542 update, will be ok to connect it!! cheers Ting
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2012 8:31am

You are right it definetly breaks the browser and client connection. Neither one would work after the update kb2585542 is applied.
January 12th, 2012 9:40am

Ting-wu says other VPN device that is Juniper FW. After the update KB2585542, I use IE to try to connect my company's SSL VPN service and device(use port 443), only Forti SSL VPN can't open the login page, others are OK.
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2012 10:14am

Hello. Does anybody face these issues with Bitdefender Business Client installed? After installing security update KB2585542, log on to OS takes up to 15 minutes unless I set the firewall off in my Bitdefender. Thanks. Defender_13
January 12th, 2012 10:26am

Hello. Does anybody face these issues with Bitdefender Business Client installed? After installing security update KB2585542, log on to OS takes up to 15 minutes unless I set the firewall off in my Bitdefender. Thanks. Defender_13
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2012 10:26am

We have the same issue on checkpoint SSL VPN.
January 12th, 2012 1:46pm

Same here. I have around 50 clients today that can't connect to our Checkpoint today. I asked to remove all updates that a client did yesterday, but was not enough. A system restore of 2 days before solved the issue. Now I'm scared of what will happens in next few days.
Free Windows Admin Tool Kit Click here and download it now
January 13th, 2012 7:45am

Hello. Does anybody face these issues with Bitdefender Business Client installed? After installing security update KB2585542, log on to OS takes up to 15 minutes unless I set the firewall off in my Bitdefender. Thanks. Defender_13
January 13th, 2012 10:15am

Hi, I just received an information of support@companycrypt.com that a registry hack could help: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL add new DWORD (32-bit) SendExtraRecord Value 2 Susanne
Free Windows Admin Tool Kit Click here and download it now
January 13th, 2012 2:39pm

I forgot the ms article: see: http://support.microsoft.com/kb/2643584 Susanne
January 13th, 2012 2:42pm

Running Checkpoint as well and running into the same issue. R70.40 SNX. XP and Windows7 have the same issue after installing.
Free Windows Admin Tool Kit Click here and download it now
January 13th, 2012 3:13pm

Hi, I just received an information of support@companycrypt.com that a registry hack could help: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL add new DWORD (32-bit) SendExtraRecord Value 2 Susanne
January 14th, 2012 6:28am

I forgot the ms article: see: http://support.microsoft.com/kb/2643584 Susanne
Free Windows Admin Tool Kit Click here and download it now
January 14th, 2012 6:31am

We also use a FortiNet firewall (110C), and believe that this Microsoft update broke VPN for one user. We tried uninstalling the update, doing a system restore, and no luck. Any ideas on how to fix this?
January 17th, 2012 11:43am

We also use a FortiNet firewall (110C), and believe that this Microsoft update broke VPN for one user. We tried uninstalling the update, doing a system restore, and no luck. Any ideas on how to fix this?
Free Windows Admin Tool Kit Click here and download it now
January 17th, 2012 11:43am

We also use a FortiNet firewall (110C), and believe that this Microsoft update broke VPN for one user. We tried uninstalling the update, doing a system restore, and no luck. Any ideas on how to fix this?
January 17th, 2012 11:58am

Hello , All After checking the problem with checkpoint team we have found a solution to this problem to solve this problem go to Policy > global properties > ssl network extender > (under supported encryption methods ) change the method from AES , 3DES to AES , 3DES , RC4 .
Free Windows Admin Tool Kit Click here and download it now
January 18th, 2012 3:37am

Changing Encryption will not help on a Fortigate. This problem is related to the self-signed certificate. IE 7 - 9 and Chrome are both broke. Firefox is not affected by this issue and still works. Fortinet recommends Generating a certificate and using that, but they said they are working on a solution.
January 18th, 2012 10:26pm

Changing Encryption will not help on a Fortigate. This problem is related to the self-signed certificate. IE 7 - 9 and Chrome are both broke. Firefox is not affected by this issue and still works. Fortinet recommends Generating a certificate and using that, but they said they are working on a solution.
Free Windows Admin Tool Kit Click here and download it now
January 18th, 2012 10:26pm

Changing Encryption will not help on a Fortigate. This problem is related to the self-signed certificate. IE 7 - 9 and Chrome are both broke. Firefox is not affected by this issue and still works. Fortinet recommends Generating a certificate and using that, but they said they are working on a solution.
January 19th, 2012 10:18pm

Hi, if it can help. In the IE option, advanced, uncheck TLS 1.0 , for us it solve the issue. Checkpoint FW 1. Have a good day.
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2012 2:08am

Hi, if it can help. In the IE option, advanced, uncheck TLS 1.0 , for us it solve the issue. Checkpoint FW 1. Have a good day.
January 20th, 2012 2:08am

Hi DrjonesUSA, We too have a 110C.. For the few users that had this update installed I simply went into: Control Panel > All Control Panel Items > Programs and Features > View installed updates > Right clicked security update KB2585542 > Uninstall > Rebooted the machine If that didnt work I'd maybe suggest, uninstalling the FortiClient, Reset IE settings and re-install the FortiClient again. Hopefully Fortinet get a fix out soon! Cheers Tony
Free Windows Admin Tool Kit Click here and download it now
January 20th, 2012 5:55am

Hi DrjonesUSA, We too have a 110C.. For the few users that had this update installed I simply went into: Control Panel > All Control Panel Items > Programs and Features > View installed updates > Right clicked security update KB2585542 > Uninstall > Rebooted the machine If that didnt work I'd maybe suggest, uninstalling the FortiClient, Reset IE settings and re-install the FortiClient again. Hopefully Fortinet get a fix out soon! Cheers Tony
January 20th, 2012 9:42pm

Hi, if it can help. In the IE option, advanced, uncheck TLS 1.0 , for us it solve the issue. Checkpoint FW 1. Have a good day.
Free Windows Admin Tool Kit Click here and download it now
January 21st, 2012 1:55am

Quick update to this; upgrading our checkpoint firewalls to R71 HFA 40 resolved it for us.
January 21st, 2012 2:40pm

We are already using a generated commercial certificate. It doesn't help on an FG1000A with version 4, latest patch release. Using Firefox fixes the problem though. Based on that experience, the self signed certificate isn't the problem with IE and won't help fix this problem on IE 7-9.
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2012 1:06pm

We are already using a generated commercial certificate. It doesn't help on an FG1000A with version 4, latest patch release. Using Firefox fixes the problem though. Based on that experience, the self signed certificate isn't the problem with IE and won't help fix this problem on IE 7-9.
January 25th, 2012 1:06pm

We are already using a generated commercial certificate. It doesn't help on an FG1000A with version 4, latest patch release. Using Firefox fixes the problem though. Based on that experience, the self signed certificate isn't the problem with IE and won't help fix this problem on IE 7-9.
Free Windows Admin Tool Kit Click here and download it now
January 26th, 2012 12:54pm

Fortinet released a customer support bulletin CSB-120117-1 that addresses this issue. They have special builds of their firmware available for the fix or they recommend rolling back the security update. I was able to work around this by disabling TLS 1.0 and enabling TLS 1.1 and TLS 1.2 on the Advanced tab of Internet Options in IE.
January 31st, 2012 2:18pm

Fortinet released a customer support bulletin CSB-120117-1 that addresses this issue. They have special builds of their firmware available for the fix or they recommend rolling back the security update. I was able to work around this by disabling TLS 1.0 and enabling TLS 1.1 and TLS 1.2 on the Advanced tab of Internet Options in IE.
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2012 2:18pm

Fortinet released a customer support bulletin CSB-120117-1 that addresses this issue. They have special builds of their firmware available for the fix or they recommend rolling back the security update. I was able to work around this by disabling TLS 1.0 and enabling TLS 1.1 and TLS 1.2 on the Advanced tab of Internet Options in IE.
January 31st, 2012 2:27pm

The update KB2585542 has to be hidden in the windows update or it will re-install the next time you reboot.
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2012 10:40pm

The update KB2585542 has to be hidden in the windows update or it will re-install the next time you reboot.
January 31st, 2012 10:40pm

The update KB2585542 has to be hidden in the windows update or it will re-install the next time you reboot.
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2012 10:50pm

Hi, It's confirmed that kb2585542 will break the SSL VPN connection using IE, currently firefox 9.01 will still be able to use SSL VPN but the recent version 10, will too break SSL VPN. Your best bet will be using the Forticlient SSL VPN client which you might be able to download over the internet. Insert your server address : address:port, e.g. remote.mydns.com.sg:443. port number is very important here. you don't have to include https:// infront password : yourpassword and you will be able to connect. Hope this is able to give an alternative solution to your problem. Cheers, Lucas
February 6th, 2012 12:05am

Hi, It's confirmed that kb2585542 will break the SSL VPN connection using IE, currently firefox 9.01 will still be able to use SSL VPN but the recent version 10, will too break SSL VPN. Your best bet will be using the Forticlient SSL VPN client which you might be able to download over the internet. Insert your server address : address:port, e.g. remote.mydns.com.sg:443. port number is very important here. you don't have to include https:// infront password : yourpassword and you will be able to connect. Hope this is able to give an alternative solution to your problem. Cheers, Lucas
Free Windows Admin Tool Kit Click here and download it now
February 6th, 2012 12:05am

Hi, It's confirmed that kb2585542 will break the SSL VPN connection using IE, currently firefox 9.01 will still be able to use SSL VPN but the recent version 10, will too break SSL VPN. Your best bet will be using the Forticlient SSL VPN client which you might be able to download over the internet. Insert your server address : address:port, e.g. remote.mydns.com.sg:443. port number is very important here. you don't have to include https:// infront password : yourpassword and you will be able to connect. Hope this is able to give an alternative solution to your problem. Cheers, Lucas
February 6th, 2012 12:09am

Hi, We also have this problem with the last version of firefox. Uninstalling the update kb2585542 doesnt resolve the problem for firefox, but it should work for IE 7-9. We need to solve the problem with firefox. any ideas?
Free Windows Admin Tool Kit Click here and download it now
February 6th, 2012 9:32am

Hi, We also have this problem with the last version of firefox. Uninstalling the update kb2585542 doesnt resolve the problem for firefox, but it should work for IE 7-9. We need to solve the problem with firefox. any ideas?
February 6th, 2012 9:32am

Hi, We also have this problem with the last version of firefox. Uninstalling the update kb2585542 doesnt resolve the problem for firefox, but it should work for IE 7-9. We need to solve the problem with firefox. any ideas? How about uncheck TLS 1.0 in the options?
Free Windows Admin Tool Kit Click here and download it now
February 6th, 2012 10:18am

Hi, We also have this problem with the last version of firefox. Uninstalling the update kb2585542 doesnt resolve the problem for firefox, but it should work for IE 7-9. We need to solve the problem with firefox. any ideas? How about uncheck TLS 1.0 in the options?
February 6th, 2012 10:18am

Hi, We also have this problem with the last version of firefox. Uninstalling the update kb2585542 doesnt resolve the problem for firefox, but it should work for IE 7-9. We need to solve the problem with firefox. any ideas?
Free Windows Admin Tool Kit Click here and download it now
February 7th, 2012 9:26am

Hi, We also have this problem with the last version of firefox. Uninstalling the update kb2585542 doesnt resolve the problem for firefox, but it should work for IE 7-9. We need to solve the problem with firefox. any ideas? How about uncheck TLS 1.0 in the options?
February 7th, 2012 10:13am

For me unchecking TLS 1.0 didn't help Pavel
Free Windows Admin Tool Kit Click here and download it now
February 8th, 2012 2:13am

For me unchecking TLS 1.0 didn't help Pavel
February 8th, 2012 2:13am

For me unchecking TLS 1.0 didn't help Pavel
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 2:16am

Hello all, After logging a ticket with Fortinet, this is the response I got back.. Hope this helps all Fortinet users... Dear Customer, This email is to inform you that your ticket xxxxxx has been updated. Ticket Title: SSL login page error Ticket Status: Registered Updated by xxxxxxxx at 2/5/2012 8:05:59 PM This is a known issue, I have attached customer support bulletin to the ticket, please have a read and let me know if you have any questions. We have released FOS 4.3.5 public firmware on Jan 31st which contains this fix. If you require fix in 4.2 code or 4.1 code, please let me know. Thank you. Fortinet Customer SupportBulletin Subject: SSLVPN Connectivity Issue Product: All FortiGate models running Description of Issue: After installing a Microsoft security update users may no longer be able to connect to the SSLVPN portal on a FortiGate.This issue has been reported by users running Internet Explorer and Chrome browsers. Microsoft released an update to resolve a vulnerability found in SSL 3.0 and TLS 1.0, this is referenced in the Microsoft Security Bulletin MS12-006. This vulnerability could allow an attacker to intercept encrypted traffic. The change of behavior introduced with the Microsoft patch has resulted in an incompatibility with FortiOS SSLVPN implementation resulting in the failure for some clients to connect to the SSLVPN portal. Affected Products: All FortiGate models and software versions using the SSLVPN portal feature in combination with client workstations that are using Internet Explorer or Chrome browsers. Resolution: The immediate resolution for this issue is to roll back the Microsoft update as referenced in MS12- 006. Details of the Microsoft security bulletin can be found on the following web page: http://technet.microsoft.com/en-us/security/bulletin/ms12-006 Fortinet will produce an update to FortiOS to restore the compatibility with systems that have been updated with the Microsoft patch. A special build of software will be available on demand from a Fortinet support center from Friday 20th January, the enhancement will also be included in all future patch releases for GA release. Technical Support Contact Information: Fortinet technical support home page: https://support.fortinet.com
February 9th, 2012 2:42am

Hi All, I'm having the same problem after we are updated the patch KB2585542. we cannot access SSL VPN through I.E. it dosn't diplay webpay for login. I'm using Fortigate Firewall 300A. Do you have solution with remove patch KB2585542? Khemarin333@hotmail.com
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 2:54am

Try the KB http://support.microsoft.com/kb/2643584
February 9th, 2012 3:33am

Try the KB http://support.microsoft.com/kb/2643584
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 3:33am

Try the KB http://support.microsoft.com/kb/2643584
February 9th, 2012 3:36am

Hi Tony, I was facing same problem. I've manually removed Window update KB2585542 & resolved the same. Thanks, Jatin Purohit Ahmedabad-India
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2012 6:05am

Hello all, After logging a ticket with Fortinet, this is the response I got back.. Hope this helps all Fortinet users... Dear Customer, This email is to inform you that your ticket xxxxxx has been updated. Ticket Title: SSL login page error Ticket Status: Registered Updated by xxxxxxxx at 2/5/2012 8:05:59 PM This is a known issue, I have attached customer support bulletin to the ticket, please have a read and let me know if you have any questions. We have released FOS 4.3.5 public firmware on Jan 31st which contains this fix. If you require fix in 4.2 code or 4.1 code, please let me know. Thank you. Fortinet Customer SupportBulletin Subject: SSLVPN Connectivity Issue Product: All FortiGate models running Description of Issue: After installing a Microsoft security update users may no longer be able to connect to the SSLVPN portal on a FortiGate.This issue has been reported by users running Internet Explorer and Chrome browsers. Microsoft released an update to resolve a vulnerability found in SSL 3.0 and TLS 1.0, this is referenced in the Microsoft Security Bulletin MS12-006. This vulnerability could allow an attacker to intercept encrypted traffic. The change of behavior introduced with the Microsoft patch has resulted in an incompatibility with FortiOS SSLVPN implementation resulting in the failure for some clients to connect to the SSLVPN portal. Affected Products: All FortiGate models and software versions using the SSLVPN portal feature in combination with client workstations that are using Internet Explorer or Chrome browsers. Resolution: The immediate resolution for this issue is to roll back the Microsoft update as referenced in MS12- 006. Details of the Microsoft security bulletin can be found on the following web page: http://technet.microsoft.com/en-us/security/bulletin/ms12-006 Fortinet will produce an update to FortiOS to restore the compatibility with systems that have been updated with the Microsoft patch. A special build of software will be available on demand from a Fortinet support center from Friday 20th January, the enhancement will also be included in all future patch releases for GA release. Technical Support Contact Information: Fortinet technical support home page: https://support.fortinet.com
February 9th, 2012 10:39am

Hi, I just received an information of support@companycrypt.com that a registry hack could help: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL add new DWORD (32-bit) SendExtraRecord Value 2 Susanne We had the same issues in our environment with certain certificate authenticated websites over SSL. Winxp 32-64 WIN7 32-64. Uninstalling the patch fixed the issue however, we are required to have this patch on our machines. After reinstalling it broke the sites again but pushing this registry change through group policy solved our problems and allowed the patch to remain on our machines.
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2012 4:21pm

Hi, I just received an information of support@companycrypt.com that a registry hack could help: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL add new DWORD (32-bit) SendExtraRecord Value 2 Susanne We had the same issues in our environment with certain certificate authenticated websites over SSL. Winxp 32-64 WIN7 32-64. Uninstalling the patch fixed the issue however, we are required to have this patch on our machines. After reinstalling it broke the sites again but pushing this registry change through group policy solved our problems and allowed the patch to remain on our machines.
February 17th, 2012 4:21pm

Hi, I just received an information of support@companycrypt.com that a registry hack could help: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL add new DWORD (32-bit) SendExtraRecord Value 2 Susanne We had the same issues in our environment with certain certificate authenticated websites over SSL. Winxp 32-64 WIN7 32-64. Uninstalling the patch fixed the issue however, we are required to have this patch on our machines. After reinstalling it broke the sites again but pushing this registry change through group policy solved our problems and allowed the patch to remain on our machines.
Free Windows Admin Tool Kit Click here and download it now
February 18th, 2012 4:14pm

This solved our issue with Checkpoint SSL VPN, on all Windows versions Thanks
February 29th, 2012 6:28am

This solved our issue with Checkpoint SSL VPN, on all Windows versions Thanks
Free Windows Admin Tool Kit Click here and download it now
February 29th, 2012 6:28am

This solved our issue with Checkpoint SSL VPN, on all Windows versions Thanks
February 29th, 2012 6:37am

Disabling TLS 1.0 and enabling TLS 1.1 and TLS 1.2 works well. Thanks
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2012 11:10am

Disabling TLS 1.0 and enabling TLS 1.1 and TLS 1.2 works well. Thanks
March 2nd, 2012 11:10am

Disabling TLS 1.0 and enabling TLS 1.1 and TLS 1.2 works well. Thanks
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2012 11:21am

Hello all, We've been monitoring several of the compatibility issues related to MS12-006 and have worked with the Microsoft Security Research and Defense team to update a blog post consolidating content about what the vulnerability is, how the update mitigates the vulnerability, and links to several FixIt's designed to help quickly automate workarounds. If you are running into an issue after applying this update, please review the blog and use the FixIt's to help quickly diagnose a compatibility problem. http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
March 19th, 2012 3:21pm

Thank you very much. That works.
Free Windows Admin Tool Kit Click here and download it now
March 21st, 2012 12:13pm

Thank you very much. That works.
March 21st, 2012 12:13pm

Thank you very much. That works.
Free Windows Admin Tool Kit Click here and download it now
March 22nd, 2012 12:03pm

It will work with uncheking TLS 1.0 In the IE option, advanced, But better to do the Fortinet firmware update to version 4.3.5 Microsoft TechNet Forum Bandara
May 8th, 2012 11:07pm

I am having the same issue with Cisco SSL VPN since the latest update as well.
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2012 9:27am

I am having the same issue with Cisco SSL VPN since the latest update as well.
May 18th, 2012 9:27am

I am having the same issue with Cisco SSL VPN since the latest update as well.
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2012 9:28am

Hello all, I discovered last night if security update KB2585542 is installed on our Windows XP/7 machines, it wont display our SSL VPN Login webpage. We use Fortinet Firewalls. After manually unistalling KB2585542 I was sucesfully able to view our SSL VPN Login Webpage. I have declined security update KB2585542 on all of our WSUS servers to decline this update getting pushed out to all of our machines. Is anyone else experiening this same type of SSL VPN issue? Cheers Tony i logged in just to thank you for this post. it too caused problems for us.
May 31st, 2012 12:49pm

Thanks a Lot Susanne-I managed to login to to my SSl VPN.
Free Windows Admin Tool Kit Click here and download it now
September 13th, 2012 11:28pm

I have been having issues where I cannot open my Sharepoint 2007 documents in Word or Excel when I work from home using FortiClient VPN SSL. Tried several things I read but nothing worked. Finally I installed firefox on my laptop and it works!
October 17th, 2012 12:23pm

Hi, Thanks for your information .. Similar issue I am facing in windows 8 and win7 home edition , Does anybody face these issues any idea abut this .. We use Fortinet Firewalls Windows enterprise systems after manually uninstalling KB2585542 I was successfully able to use our SSL VPN with forti client but not able to connect through web portal . Rgds, Jaice
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2012 5:42am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics