• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Firewall client and HTTPS connections

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Firewall client and HTTPS connections Page: [1]
Login
Message << Older Topic   Newer Topic >>
Firewall client and HTTPS connections - 13.Aug.2003 9:37:00 PM   
joe donner

 

Posts: 91
Joined: 6.Dec.2001
From: London
Status: offline
Hi there.

Today, I suddenly come across the problem that my client machine cannot connect to an HTTPS web site. Or, more to the point, I can connect to the initial HTTPS page, provide my logon credentials on that first page, provide some more on a second page, but then the third HTTPS page fails to load with "Cannot find server or DNS error".

Now I called up the company, and they assured me that they had no server problems. So I investigated the matter, and the results are:
1. I can connect to the site when logged in as domain administrator on a client machine with the firewall client enabled.
2. I cannot connect to the site when logged in as a domain user on a client machine with the firewall client enabled. However, I can connect to the site as a domain user when I disable the firewall client.

When I say connect, remember that I get the first two HTTPS pages no problem, but come the third one, I get the IE error page.

This is a "brand new" problem. Just last night I logged into the mentioned site with absolutely no problems, as I have for the past 2 years. I have not made any significant changes to my ISA server or to client machines, except for upgrading clients from Norton Antivirus 2000 to 2003.

Any ideas would be much appreciated.

Joe
Post #: 1
RE: Firewall client and HTTPS connections - 13.Aug.2003 11:15:00 PM   
joe donner

 

Posts: 91
Joined: 6.Dec.2001
From: London
Status: offline
And now I cannot send e-mails from a client using Outlook Express unless I disable the firewall client.

Please help!

(in reply to joe donner)
Post #: 2
RE: Firewall client and HTTPS connections - 14.Aug.2003 2:50:00 AM   
joe donner

 

Posts: 91
Joined: 6.Dec.2001
From: London
Status: offline
Well, I've come to the conclusion that it must be that specific web site/server. I've tried the same with other sites that require me to provide credentials on multiple HTTPS pages, and it works without fail. Only the one site does not.

I have not configured ISA to disallow access to any particular site, so this is really strange. It would be interesting to know if someone has any ideas on what the problem could be.

Joe

(in reply to joe donner)
Post #: 3
RE: Firewall client and HTTPS connections - 16.Aug.2003 2:24:00 AM   
joe donner

 

Posts: 91
Joined: 6.Dec.2001
From: London
Status: offline
Back to square one, and this is getting very, very weird (not only because I'm chatting to myself it seems [Wink] )and I can't figure it out.

Why would a domain administrator be able to access all web sites with the firewall client enabled or disabled, while normal domain users see "unformatted" web sites (only some sites) with the firewall client, or cannot log into some SSL-secured web sites, but with the firewall client disabled they can?

How is that possible? It must be a security/permissions related issue.

THIS IS DRIVING ME RAVING MAD!

Please help me!

(in reply to joe donner)
Post #: 4
RE: Firewall client and HTTPS connections - 16.Aug.2003 12:05:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Joe,

what ISA client type are you using? Normally HTTP/HTTPS is handled by the Web Proxy client and the Web Proxy service on ISA server. However, you are talking about the Firewall client. Also, how is the HTTP Redirector configured?

If something isn't working as expected, you should consult the ISA logfiles. They are your primary resource for debugging. To get the most information out of the logfiles, I strongly recommend to enable the logging of all fields. In the MMC, go to the node Monitoring Configuration, then select Logs. In the details pane, right-click the applicable service and then click Properties. On the Fields tab, click Select All.

A lot of people seem to have problems with interpreting the logfiles. It isn't that difficult, but you should first understand what is logged. In the ISA helpfile there is a section called Firewall and Web Proxy log fields, a must read. Additional information can be found in the following articles:
- http://support.microsoft.com/default.aspx?scid=kb;en-us;284818
- http://support.microsoft.com/default.aspx?scid=kb;en-us;193625
- http://msdn.microsoft.com/library/default.asp?url=/library/e n-us/winsock/winsock/windows_sockets_error_codes_2.asp

HTH,
Stefaan

[ August 16, 2003, 01:10 PM: Message edited by: spouseele ]

(in reply to joe donner)
Post #: 5
RE: Firewall client and HTTPS connections - 16.Aug.2003 4:20:00 PM   
joe donner

 

Posts: 91
Joined: 6.Dec.2001
From: London
Status: offline
Hi spouseele, and thanks for the reply!

My clients are configured as both SecureNAT (they get the ISA server's internal IP as default gateway through DHCP), and I also have the firewall client installed (just for testing purposes).

The HTTP Redirector is configured to "Redirect to local Web Proxy service".

I did look at the logs, but as you rightly said, I have some problems making sense of them. I'll look at the links you gave, thank you very much.

Maybe it will help if I'm more specific:

1. On one client, with the firewall enabled and logged in as a normal domain user, I cannot complete "authentication" on some web sites that are SSL secured. But on others I can. When I disable the firewall client, I'm successful. On some other web sites, e.g. www.clanbase.com, I get an "unformatted" web page, i.e. it seems as if things like style sheets are not applied/downloaded. I also get an error saying that a script on the web page has caused an error, and the error box tells me that an "object [was] expected". This web site uses PHP, but it's no more than your average scripting error. The point is that the scripting error occurs in the first place.
2. When I log onto the same client as domain administrator, with the firewall client enabled or disabled, I don't have the above-mentioned problems. I get the properly formatted web page, there's no scripting errors, everything seems absolutely fine.
3. On my second client, I do not have any of these problems. I get access as any user, with or without the firewall client.

So the problem seems to be specific to just the one client machine, right? So last night I reinstallled the whole client computer (it was due a spring clean anyway), but the problem remained. I restored my server to an image I made about 3 weeks ago when everything was still fine, and it still doesn't work.

I'm beginning to think that this one cannot be solved easily, and maybe I should just live with it. And while these types of requests get handled through the Web proxy service, why on earth would the firewall client configuration make any difference?

This is really strange, since I haven't made any configuration changes except for installing Norton Antivirus 2003 on the client. It literally seems to have just stopped working without any outside help. I update my server and clients frequently with the latest Microsoft patches, so I don't know if an update I applied somewhere might have caused this problem. Even so, it is still just the one machine. That is what doesn't make sense to me.

Joe

(in reply to joe donner)
Post #: 6
RE: Firewall client and HTTPS connections - 16.Aug.2003 11:31:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Joe,

why is the client not configured as a Web Proxy client too?

HTH,
Stefaan

(in reply to joe donner)
Post #: 7
RE: Firewall client and HTTPS connections - 17.Aug.2003 1:26:00 AM   
joe donner

 

Posts: 91
Joined: 6.Dec.2001
From: London
Status: offline
Hi Stefaan,

well it is now, and whoohoo! - it fixed up my "ssl-secured cannot log on problem". I should be happy, but actually I'm not [Frown] . Why would this suddenly happen? Everything used to work just fine beforehand without having to configure the client as a web proxy client as well. Any ideas? To be honest, I'm really not that well versed in ISA server. What are the advantages of the different clients (firewall, web proxy, and securenat)?

The unformatted web site problem still remains *sigh*. It bothers me so much because I don't understand what's going on, and because it used to work just fine.

Well, thanks for the help. It is much appreciated.

Joe

[ August 17, 2003, 01:36 AM: Message edited by: joe donner ]

(in reply to joe donner)
Post #: 8
RE: Firewall client and HTTPS connections - 17.Aug.2003 1:42:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Joe,

to learn more about the different ISA client types, check out:
- http://www.isaserver.org/tutorials/ISA_Clients__Part_1__General_ISA_Server_Configuration.html
- http://www.isaserver.org/tutorials/ISA_Clients__Part_2_SecureNAT_and_Web_Proxy_Client.html
- http://www.isaserver.org/tutorials/ISA_Clients__Part_3_The_Firewall_Client.html
- http://www.isaserver.org/articles/IPSec_Passthrough.html , section '4. Configuring ISA Clients'.

You should always configure the clients as Web Proxy clients for HTTP/HTTPS traffic. For other protocols configure them as Firewall and SecureNAT clients too. Keep in mind that if you use the HTTP Redirector all authentication information is lost. There are some other drawbacks too. Therefore, I recommend to just disable the HTTP Redirector or choose the option "rejects all HTTP request from firewall and SecureNAT clients" if possible. For more info, check out:
- Configuring the HTTP Redirector
- Preventin g SecureNAT and Firewall Clients from Bypassing the Web Proxy Service and How to Give Yourself a Headache with the HTTP Redirector Filter and Anonymous Access
- The Mystery of the HTTP Redirector and Site&Content Rules

BTW --- you should certainly make yourself familiar with the ISA logs. They are definitely your primary resource for debugging.

HTH,
Stefaan

(in reply to joe donner)
Post #: 9
RE: Firewall client and HTTPS connections - 17.Aug.2003 3:15:00 PM   
joe donner

 

Posts: 91
Joined: 6.Dec.2001
From: London
Status: offline
Hi Stefaan,

thank you very much for your help and advice.

I think it's safe to say that my lack of knowledge of ISA server is the main contributing factor to my problems. I haven't gone into the intricacies of ISA, but I'm planning on doing ISA as an elective for MCSE, so hopefully I'll get there in the end. Until then I just wanted everything to work reasonably well, which it does now since I configured the client as web proxy client as well.

Anyway, thank you very much for your advice. I appreciate it a lot!

Joe

(in reply to joe donner)
Post #: 10
RE: Firewall client and HTTPS connections - 18.Aug.2003 7:37:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Joe,

good to hear you got it working and thanks for the follow up! [Smile]

Stefaan

(in reply to joe donner)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> Firewall Client >> Firewall client and HTTPS connections Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts