Welcome to ISAserver.org

Firewall denying port 443 traffic

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Events >> Firewall denying port 443 traffic

Page: [1]

Message

<< Older Topic Newer Topic >>

Firewall denying port 443 traffic - 18.Jun.2008 3:11:30 PM

lcsgeek

Posts: 35
Joined: 2.Aug.2005
From: MI, USA
Status: offline

I've written an access rule with the following:

Allow
All Outbound Traffic
From: my own custom list of private IPs
To: External and Perimeter
Condition: All Users

This rule is the first one on my Polcy listing.

I have a user who's IP address is in the 'From' field and she is running a POS application which tries to authorize credit cards via g1.merchantlink.com:443. However while doing a monitor I keep getting this denial (see: http://www.lenawee.org/isaError.jpg ). Any one of my users (even those outside the Unrestricted Rule mentioned above) can visit https websites. It seems to me that this application shouldn't be treated any different than a regualr SSL connection.

One other note: I am requiring user authentication on the Private Network interface. Furhtermore I have the firewall client installed on the POS computer. My understanding is that the firewall client should take care of all authentication issues between the workstations on the LAN and their corsponding ISA Network interface.

I'm open to all suggestions.

Thanks
Darin

< Message edited by lcsgeek -- 18.Jun.2008 3:23:57 PM >

Post #: 1

Featured Links*

RE: Firewall denying port 443 traffic - 23.Jun.2008 8:18:00 AM

tshinder

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline

What is the source and destination address that is being denied?

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to lcsgeek)

Post #: 2

RE: Firewall denying port 443 traffic - 23.Jun.2008 8:49:09 AM

lcsgeek

Posts: 35
Joined: 2.Aug.2005
From: MI, USA
Status: offline

The source IP is 10.0.0.221 and the destination IP is whatever g1.merchantlink.com resolves to. Like I stated before this particular private IP is hardcoded into the From field of the policy.

(in reply to tshinder)

Post #: 3

RE: Firewall denying port 443 traffic - 23.Jun.2008 9:57:49 AM

tshinder

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline

Is 10.0.0.1 the ISA firewall?

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to lcsgeek)

Post #: 4

RE: Firewall denying port 443 traffic - 23.Jun.2008 11:49:52 AM

lcsgeek

Posts: 35
Joined: 2.Aug.2005
From: MI, USA
Status: offline

Sorry I dind't give you that piece of info before but yes it is.

Something I've just tried:
I unchecked "Require all users to authenticate" and now the app works.

I had this checkbox checked to mandate an AD account in order to browse. Plus I want to log where our students are visiting.

< Message edited by lcsgeek -- 23.Jun.2008 11:53:18 AM >

(in reply to tshinder)

Post #: 5

RE: Firewall denying port 443 traffic - 24.Jun.2008 9:31:08 AM

tshinder

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline

OK, that makes sense. If the app can't be configured with Web Proxy settings, then auth may fail.

You can configure a rule that allows users to reach that site anonymously.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to lcsgeek)

Post #: 6

RE: Firewall denying port 443 traffic - 24.Jun.2008 2:31:19 PM

lcsgeek

Posts: 35
Joined: 2.Aug.2005
From: MI, USA
Status: offline

quote:

You can configure a rule that allows users to reach that site anonymously.

Please describe.

(in reply to tshinder)

Post #: 7

RE: Firewall denying port 443 traffic - 25.Jun.2008 11:18:18 AM

tshinder

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline

Create a rule that allows access to the site that the app needs to get to. Allow access on the rule for "All Users".

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to lcsgeek)

Post #: 8

RE: Firewall denying port 443 traffic - 26.Jun.2008 1:18:47 PM

lcsgeek

Posts: 35
Joined: 2.Aug.2005
From: MI, USA
Status: offline

Very well, I think I was over complicating things.

Thank you Tom, I really appreciate the time and effort you put into helping all of us. I have no idea what motivates you.

(in reply to tshinder)

Post #: 9

RE: Firewall denying port 443 traffic - 27.Jun.2008 8:57:22 AM

tshinder

Posts: 47010
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi LCS,

I do this for fun! I also learn a lot from the issues that others have with the ISA firewall, so you and others are doing me a great service!

Good to hear you got things working and thanks for the follow up!

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to lcsgeek)

Post #: 10