Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Cannot connect externally to SSL site
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Cannot connect externally to SSL site - 10.Jun.2003 7:34:00 PM
|
|
|
idsltd
Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
|
I'm really frustrated with this. Here's the scenario.
I have published OWA, which works fine when unsecured. The web site in IIS was set up to listen on port 80 (default) and the web proxy incoming listener was set to 81 (not sure if this is correct but it works!)
I have since purchased a certificate which I have assigned to the correct web site.
So in IIS, I then assign port 443 for SSL connections.
At this point, internally secure connections to my web page are made no problem, but I'm unsure as to how to get it to work externally.
If I set the incoming listeners to use 443 for SSL connections, the Web Proxy service fails because that port is already in use. I tried setting it to 444 (again, unsure if this is possible but I got frustrated and tried various things!) and then putting :444 on the end of the URL in IE6, but again, no success. (however, this did again, work internally!)
If I use http:// in the URL, it tells me i need to use https:// so I know its not a communication problem in the sense of not being able to get to the site!
If I start the web proxy service up with 443 then start up the IIS site with 443, I get an event id 115 error, which I understand to be a problem with SSL setup.
Upshot is, I dont know how to get it to work externally.
Do I need to put in place some kind of publishing rule??
Microsoft starts going on about host headers when describing 115 events, but I dont know what they're talking about!??
All advice will be welcomed
I hope to hear from someone, I've tried to describe the setup as best I can.
Many Thanks
Tommy Addison
|
|
|
|
RE: Cannot connect externally to SSL site - 10.Jun.2003 10:18:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tommy,
If the port is already in use, you should disable IIS on the ISA firewall.
HTH,
Tom
|
|
|
|
RE: Cannot connect externally to SSL site - 11.Jun.2003 1:17:00 PM
|
|
|
idsltd
Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
|
Tom, I'm not 100% sure on how to do what you asked. Here's the new situation as it stands now.
I've currently got everything working without any Web Publishing rules in place, but thats only because I've got IIS listening on the external IP.
If I ask IIS to listen on internal/localhost addresses, can I hell get it to work. I create a web publishing rule to forward requests to the internal server, and it does not work externally, just get a page cannot be displayed message.
ISA listener is configured for ports 81 + 444 respectively for HTTP and SSL requests (IIS is using 80 + 443)
If I create a Web Pub rule to bridge requests to these ports, nothing happens. But everything works when I have IIS listening on the external adapter, assuming I have the correct incoming packet filters enabled for ports 80 + 443 (which I dont want - surely this isnt the safest method, even though SSL is required to access the site)
What destination set should I be creating??
If I set IIS to listen on internal adapter and then create a web pub rule to forward requests using a specific destination set, how do I set that destination set up?
Do I set it up for the IP on the external adapter with a path of /* ????
Any advice Tom (or anybody else)
Thanks all
Tommy Addison
|
|
|
|
|
RE: Cannot connect externally to SSL site - 11.Jun.2003 10:01:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tommy,
First, let's get the problem defined:
Where is the OWA server?
Where is the ISA server?
Thanks!
Tom
|
|
|
|
|
RE: Cannot connect externally to SSL site - 11.Jun.2003 10:36:00 PM
|
|
|
idsltd
Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
|
The server in question, house's everything.
It is an SBS machine.
Incoming listener is listening on external adapter, on ports 81 + 444.
IIS site is listening on 80 + 443
I have disabled socket pooling (which I believe was described in your book) because IIS is on the same machine as ISA.
If I set up a web publishing rule for OWA, with the 3 paths (exchweb, exchange + public) and then redirect the requests to my internal server (220.220.1.10) nothing happens. This is despite the fact I have IIS listening on that exact IP address
The web pub rule is set to redirect to ports 80 + 443
Does that sound right? It only works internally using the ip address of the serve, nothing else.
If I try externally, it cannot find the site, as if its not forwarding requests.
Cheers,
Tommy
|
|
|
|
|
RE: Cannot connect externally to SSL site - 12.Jun.2003 9:16:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tommy,
First step, use the default ports for OWA, do not redirect to another port. So, make sure OWA is listening on 80 and 443. Make sure you disable secure bindings as listed in the book, and don't run any other Web sites on the ISA/OWA machine. There are a million little details required to get everything working when co-locating on the ISA firewall, but those are the biggies.
HTH,
Tom
|
|
|
|
|
RE: Cannot connect externally to SSL site - 12.Jun.2003 11:31:00 PM
|
|
|
idsltd
Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
|
One other thing Tom,
check out this new post.
Take away the Netgear side of things and I had this exact problem during testing today. Everything else will work except for OWA
Cheers,
Tommy
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=5;t=001836
|
|
|
|
|
RE: Cannot connect externally to SSL site - 13.Jun.2003 4:29:00 PM
|
|
|
idsltd
Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
|
Appreciate the help Tom but lets leave this one.
By my own admission, I've gone on a bit and it looks a bit longwinded.
I've posted a new post with how it is now, a lot clearer I should hope.
Your help (and others) would be very appreciated
Cheers
Tommy
|
|
|
|
|
RE: Cannot connect externally to SSL site - 14.Jun.2003 5:56:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by IDS:
Tom, thanks again for the reply
works to a point!
I've got some things working. heres the score as it stands now (after a lot of painstaking today through the book)
Bindings on the external adapter are non-existent, everything unticked along with disabling LMHOSTS lookup (is this right?)
Incoming listener is listening on external IP on ports 80/443
Web site is listening on internal IP on ports 80/443.
Now throughout testing today, I've had various errors ranging from proxy chain loops to 401/403 errors.
I created a destination set pointing to the FQDN/external IP (both end with same result) with the following defined paths - /exchange/* /exchweb/* and /public/* - all of which I believe to be right.
I then created a web pub rule using the destination set above, redirecting to the internal IP of ISA Server. all other options left as default, bridging to default ports etc...
Now I thought this would be enough!?? I have basic authentication configured everywhere I know of (I know it isnt secure yet but before this works, its pointless trying SSL right??) and the configured default page for my web site (OWALogon.asp) resides in the root folder. If I type in http://<myservername>/exchange - i get a 403 forbidden error.
Should it be bringing up my OWALogon.asp page before trying to access OWA.
I can successfully configure other web sites on the server using the same methods as above, with the respective destination sets and they work fine from external internet clients, its just OWA having the problem. (other sites are now not running)
Any thoughts good sir?? ![[Smile]](/image/smiles/smile.gif)
I have done as you asked in your previous post so awaiting suggestions
Thanks Tom
Tom
Hi Tom,
The proxy chain loop indicates a possible Web Routing Rule problem of a problem with the redirect you're using in your Web Publishing Rule. It could also indicate that you're testing from an internal network client. Always test from an external network client. Internal network clients should access the server directly, not by looping back through the external interface.
HTH<
Tom
|
|
|
|
|
RE: Cannot connect externally to SSL site - 14.Jun.2003 6:02:00 PM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Tom,
Another things to try. For your paths in the destination sets, try:
/exchange*
/exchweb*
/public*
HTH,
Tom
|
|
|
|
RE: Cannot connect externally to SSL site - 14.Jun.2003 9:12:00 PM
|
|
|
idsltd
Posts: 87
Joined: 28.Apr.2003
From: Newcastle
Status: offline
|
Tom,
Got it working now and I think its secure but you could give me your thoughts if you wish.
I have set the dest set up along with web pub rule and within the web pub rule, i have set it to require a secure connection (basic authentication is being used)
If I then forward SSL requests as HTTP (terminate at proxy) it works, but if I forward SSL as SSL, I get the 500 internal error.
Also, in this scenario, the properties of the exchange virtual directories in IIS are not set to require secure comms, which I find strange, but hey, it works.
Is this because I'm terminating SSL at the proxy? and is this described setup secure. It appears to be, I cant get into the site without https:// in the url
Cheers,
Tommy
|
|
|
|
|
RE: Cannot connect externally to SSL site - 15.Jun.2003 5:38:00 AM
|
|
|
tshinder
Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by IDS:
Tom,
Got it working now and I think its secure but you could give me your thoughts if you wish.
I have set the dest set up along with web pub rule and within the web pub rule, i have set it to require a secure connection (basic authentication is being used)
If I then forward SSL requests as HTTP (terminate at proxy) it works, but if I forward SSL as SSL, I get the 500 internal error.
Also, in this scenario, the properties of the exchange virtual directories in IIS are not set to require secure comms, which I find strange, but hey, it works.
Is this because I'm terminating SSL at the proxy? and is this described setup secure. It appears to be, I cant get into the site without https:// in the url
Cheers,
Tommy
Hi Tommy,
Go to www.isaserver.org/shinder and search for "500".
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
RE: Cannot connect externally to SSL site - ![[Frown]](/image/smiles/frown.gif)
