Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Client Access Problems using SSL

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Client Access Problems using SSL Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Client Access Problems using SSL - 20.Jan.2007 6:08:51 AM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline 		Does anyone know of any problems using SSL on the internal network to access an SSL site on the internet?  We use a CRM packege from RightNow Technologies that is browser based.  The application crashes or flat out doesn't work through an ISA 2004 server.  The Rightnow Engineers say they are seeing ISA drop packets and a tcp rest every 30 seconds.  The reset is not originating from the internal network.  It's originating from the isa server.  We ran network traces on the internal and external interfaces while my users were trying to access the CRM system.

I opened a case with Microsoft but so far nothing...

Thanks,
Scott
Post #: 1
RE: Client Access Problems using SSL - 20.Jan.2007 6:27:27 AM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Scott,

- How is the client configured: Web Proxy, Firewall and/or SecureNAT client?
- Is that application behaving as a Web Proxy client? If so, what happens if you configure the destination for direct access.
- Do you ask authentication on the ISA access rule allowing that access?
- ...

HTH,
Stefaan

(in reply to stosti)
Post #: 2
RE: Client Access Problems using SSL - 20.Jan.2007 6:54:11 AM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline 		SecureNAT

NO

I don't understand your third question.  We authenticate via brouwser when the application opens.  We are always able to sucessfully authenticate.  We suffer from session crashes while trying to access data.

Thanks Stefaan

(in reply to spouseele)
Post #: 3
RE: Client Access Problems using SSL - 20.Jan.2007 12:41:13 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Scott,

if the client is configured as a SecureNAT client *only* than the ISA access rule allowing the access must apply to "All users" because a SecureNAT client can never authenticate against the ISA server. As a consequence ISA only forwards the TCP connection and doesn't do any content checking.

Any chance you can post an URL where we can download a Network Monitor trace taken on the ISA internal *and* external interface simultaneously, and the corresponding ISA logging?

HTH,
Stefaan

< Message edited by spouseele -- 20.Jan.2007 12:43:35 PM >

(in reply to stosti)
Post #: 4
RE: Client Access Problems using SSL - 20.Jan.2007 12:56:04 PM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline 		I have the access rule set to "all users".  We all use the rightnow application.

I will gather up the data and send you a link to filesanywhere to download it.  What ISA logging do you need?

Thanks,
Scott

(in reply to spouseele)
Post #: 5
RE: Client Access Problems using SSL - 20.Jan.2007 2:31:34 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Scott,

with ISA logging I mean node Monitor, tab Logging.

Of course I assume you will implement the correct filter for the ISA logging *and* the Network Monitor traces so we will only see the relevant traffic.

HTH,
Stefaan

(in reply to stosti)
Post #: 6
RE: Client Access Problems using SSL - 20.Jan.2007 3:00:03 PM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline 		I will not be able to supply the monitor information today.  I will need to route all rightnow traffic thru this firewall again Monday for that.

Only packets to and from rightnow go thru this server.  There is nothing to filter on.  This is a dedicated T1, router and firewall for rightnow traffic.

If you remove the ISA server and put a 2003 server and use RRAS to NAT the traffic the application works as designed.

Problems with the link?  Copy and paste the entire link below into Notepad. Adjust so it occupies 1 line of text in Notepad without word wrap on, then copy/paste into your web browser.
 
https://corp.filesanywhere.com/ECOPY/v.asp?v=%8Crd%8E%8Ff%AA%ABs%9F

Scott

(in reply to spouseele)
Post #: 7
RE: Client Access Problems using SSL - 21.Jan.2007 9:32:57 AM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Scott,

I use Wireshark to analyse the trace files. When I look at the statistics of the conversations in the internal trace file than I got he following result:
quote:


Address A,Address B,Packets,Bytes,Packets A->B,Bytes A->B,Packets A<-B,Bytes A<-B
HewlettP_a4:1b:10,HewlettP_5a:1a:42,12,5566,0,0,12,5566
Foxconn_0b:4d:37,HewlettP_5a:1a:42,14,4310,0,0,14,4310
...
Ibm_b1:93:20,HewlettP_5a:1a:42,53,24291,0,0,53,24291
...
G-ProCom_2b:47:12,HewlettP_5a:1a:42,108,108114,0,0,108,108114
...
G-ProCom_2e:b7:ce,HewlettP_5a:1a:42,443,169200,0,0,443,169200
...
HewlettP_5a:1a:42,Cisco_ac:83:20,4185,742112,0,0,4185,742112
...

This clearly indicates an asymmetric data flow and is probably caused by a routing problem. Can this be fixed first?

In the mean time, I will investigate further the trace files.

HTH,
Stefaan

< Message edited by spouseele -- 21.Jan.2007 9:50:29 AM >

(in reply to stosti)
Post #: 8
RE: Client Access Problems using SSL - 21.Jan.2007 9:39:32 AM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline 		I will send this to the RightNow engineer working on the case.  Remember the system works correctly when our users are not behind an ISA firewall.

This ISA server was up and running for a year with no issue.  The rightnow application worked correctly from behind it using Secure NAT.  Then on December 1st RightNow made router and firewall changes on these side.  When they completed their upgrade we could no longer access rightnow from behind an ISA server.

Do you see the reset happening every 30 seconds?  Any idea what is causing this?

Thanks,
Scott

(in reply to spouseele)
Post #: 9
RE: Client Access Problems using SSL - 21.Jan.2007 1:55:45 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Scott,

quote:

Remember the system works correctly when our users are not behind an ISA firewall.

This proves nothing!

quote:

This ISA server was up and running for a year with no issue.  The rightnow application worked correctly from behind it using Secure NAT.  Then on December 1st RightNow made router and firewall changes on these side.  When they completed their upgrade we could no longer access rightnow from behind an ISA server.

Aha... so they screwed up a perfect working configuration!  
Do you know what they changed *exactly*?

I have merged the two captures so I could more easily follow some conversations. I don't see ISA doing something wrong. However, what I do see is that the application does not always properly close the connection. This results in a bunch of half open connections that ISA regular try to clean up with a TCP Reset packet. I found an 108 occurences on a total of 60441 frames (elapsed time = 00:40:15).

Also, a number of TCP Reset packets are generated by the client with the IP address  '10.10.8.14'. I see the following sequence
quote:


No.  Time                         Source        Destination    Protocol Info
7827  2007-01-10 19:02:07.491839  10.10.8.14    63.240.89.11   TCP      2104 > https [SYN] Seq=0 Len=0 MSS=1460
7836  2007-01-10 19:02:07.508608  63.240.89.11  10.10.8.14     TCP      https > 2104 [SYN, ACK] Seq=0 Ack=1 Win=4140 Len=0 MSS=1380
7837  2007-01-10 19:02:07.508862  10.10.8.14    63.240.89.11   TCP      2104 > https [RST] Seq=1 Len=0

I found an 27 occurences on a total of 60441 frames (elapsed time = 00:40:15).

Finally, I see also quite a number of TCP Data packet losses, mainly in the direction from application server to ISA server. I found an 119 occurences on a total of 60441 frames (elapsed time = 00:40:15).

Do you see some alerts in the ISA MMC? Is there something useful in the event viewer?

HTH,
Stefaan

< Message edited by spouseele -- 21.Jan.2007 1:59:03 PM >

(in reply to stosti)
Post #: 10
RE: Client Access Problems using SSL - 21.Jan.2007 2:05:27 PM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline 		Hi,

They upgraded the firmware and software on their routers, firewalls and F5.  Exactlly what they did is classified! 

I will hunt down 10.10.8.14 on Monday morning.  Any idea what could be causing this?

They will NEVER believe that the problem is on there side.  I will pass along your findings.  There customer support is horrible!  The customer must prove they are at fault to receive technical help.

Is there any more information I can supply you with?

Thanks,
Scott

(in reply to spouseele)
Post #: 11
RE: Client Access Problems using SSL - 21.Jan.2007 6:06:32 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Scott,

the following information can be useful:
- ISA live logging excerpt
- ISA Alerts
- ISA Event Viewer

quote:

I will hunt down 10.10.8.14 on Monday morning.  Any idea what could be causing this?

Nope, I don't but it must be something on that host itself.

quote:

They will NEVER believe that the problem is on there side.

If the problem started after they made router and firewall changes on your side than they *have* to believe you.

HTH,
Stefaan

(in reply to stosti)
Post #: 12
RE: Client Access Problems using SSL - 21.Jan.2007 6:17:56 PM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline 		Stefaan,

You have no idea what I am dealing with here.  Rightnow Technologies has the worst technical support/customer support I have ever seen!

I will clear all the logs and run a test tomorrow.  I will send you what you have requested.

Microsoft told me there are known issues with SSL and ISA 2004.  They are working on this as well.  So far they are stumped...  Should I run traces with a different program or are the WireShark traces ok?

Thanks,
Scott

(in reply to spouseele)
Post #: 13
RE: Client Access Problems using SSL - 22.Jan.2007 3:44:50 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Scott,

the Wireshark traces are fine!

I never experienced problems with SSL and ISA 2000, 2004 and 2006 so far. Also, I can't remember reading anything about a possible issue, though that doesn't mean there couldn't be one.

Q1: Is none of the Rightnow sessions succeeding?
According to the traces, quite a number of the SSL sessions seems to work well. That means, we see at least encrypted data in both direction after the SSL negotiation. 

Q2:  What happens if you test from a host connected to the same segment as the ISA internal interface? 
Make sure his default gateway is the ISA's internal interface so that no other device is involved in the path. A Wireshark trace of this session could be useful too.

Q3: What happens if you disable IP Routing in the ISA MMC (Configuration > General > Configure IP Protection > IP Routing)?

HTH,
Stefaan

(in reply to stosti)
Post #: 14
RE: Client Access Problems using SSL - 22.Jan.2007 5:49:43 PM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline 		1)  All sessions fail through ISA

2)  All hosts are on the same segment

3)  I disabled routing...  It now seems to be working.  I will test all day tomorrow.  I will take another trace as well...

Microsoft wants me to apply  http://support.microsoft.com/?id=922792

Thanks,
Scott

(in reply to spouseele)
Post #: 15
RE: Client Access Problems using SSL - 23.Jan.2007 3:06:25 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Scott,

1) Hmm... strange...

2) But their default gateway does not point to the ISA internal interface, right? Otherwise I can't explain the asymmetric data flow I've seen...

3) That's at least some good news.

If you have to patch the ISA, why not to the latest hotfix package http://support.microsoft.com/kb/925232?

HTH,
Stefaan

(in reply to stosti)
Post #: 16
RE: Client Access Problems using SSL - 23.Jan.2007 3:15:35 PM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline 		The default gateway points to a router that sends all traffic to the ISA default gateway.  This works great...

What do i loose with routing disabled?

I will use the latest patch...  Thank You!

(in reply to spouseele)
Post #: 17
RE: Client Access Problems using SSL - 23.Jan.2007 3:33:53 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Scott,

quote:

The default gateway points to a router that sends all traffic to the ISA default gateway.  This works great...

Well, in fact that can create havoc with ISA for the hosts on the same segment as the ISA internal interface. Therefore, I use always the network design as outlined in my article How to Implement VPN Off-Subnet IP Addresses. Apart from a very clean routing it add some benefits for VPN access too.

quote:

What do i loose with routing disabled?

A little bit of performance. For more info, check out http://www.microsoft.com/technet/isa/2004/help/FW_H_IPRoute.mspx?mfr=true.

HTH,
Stefaan

(in reply to stosti)
Post #: 18
RE: Client Access Problems using SSL - 23.Jan.2007 3:45:12 PM   
stosti

 

Posts: 136
Joined: 27.Oct.2003
Status: offline 		I will read the articals.  Thank You!

Do you recomend the hotfix or should I leave things as they are?

Scott

(in reply to spouseele)
Post #: 19
RE: Client Access Problems using SSL - 23.Jan.2007 3:50:16 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Scott,

I would do it in any way unless Microsoft explicitely say not to do so.

HTH,
Stefaan

(in reply to stosti)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> Client Access Problems using SSL Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts