• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SSL-tunnel Failed connection attempt

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> SSL-tunnel Failed connection attempt Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
SSL-tunnel Failed connection attempt - 30.Jun.2005 2:25:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I've read all of the other posts on this error and cannot find a similar situation.

I have internal users trying to connect to an external Metaframe Nfuse and Citrix XP server to access published applications. The initial connection to the Nfuse seems to be allowed, but when trying to launch one of the published applications, it fails.

On the Windows 2000 Web Proxy, Firewall and SecureNAT client, I receive this error:
"Cannot connect to the Citrix Metaframe Server. The thirdparty SSL provider could not proceed (SSL error 5)"

If I do not make the Windows 2000 client a SecureNAT client (only firewall and proxy), I receive this error:
"Cannot connect to the MetaFrame Server. There is no route to the specified subnet address"

** Rule info
Name: Anonymous SSL
Allow: HTTP HTTPS 2598 1494
From: Internal
To: xxx.xxx.xxx.xxx and Local Host
Users: All Users

** ISA 2004 Monitoring log

source port: 0
dest ip: xxx.xxx.xxx.xxx
dest port: 443
protocol: ssl-tunnel
action: Failed Connection Attempt
rule: (none)
URL: www.someurl.com:443 (must have smartcard to access, actual url not provided here)
cliet ip: 172.16.5.15
source network: internal
username: anonymous
dest network: (none)
http status code: 13 or 995 with firewall client
authenticated: No
original cliet ip: 0.0.0.0
transport: TCP

source port: 443
dest ip: xxx.xxx.xxx.xxx
source protocol: 443
protocol: HTTPS
action: Closed Connection
rule: Anonymous SSL
client ip: 172.16.5.15
source network: Internal
username: (none)
dest network: External
original client ip: 172.16.5.15
log type: firewall
transport: TCP

source port: 4426
dest port: 443
dest ip: 198.203.245.12
protocol: HTTPS
action: Initiated Connection
rule: Anonymous SSL
URL: www.someurl.com:443
client ip: 172.16.5.15
username: (none)
source network: Internal
dest network: External
original client ip: 172.16.5.15
log type: firewall
transport: TCP

source port: 0
dest ip: xxx.xxx.xxx.xxx
dest port: 443
protocol: ssl-tunnel
action: Failed Connection Attempt
client ip: 172.16.5.15
username: anonymous
http status code: 13
authenticated: No
original client ip: 0.0.0.0
log type: Proxy
transport: TCP

tjcarst

[ July 22, 2005, 11:56 AM: Message edited by: tjcarst ]
Post #: 1
RE: SSL-tunnel Failed connection attempt - 30.Jun.2005 5:33:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Notice on the "failed connection attempt" the source port is 0 and the original client ip is 0.0.0.0.

Is this possibly the cause of the problem?

I'm concerned about the client side error "the third party ssl provider could not proceed". It is as if the client is waiting for ISA to negotiate part of the connection and it never happens.

(in reply to tjcarst)
Post #: 2
RE: SSL-tunnel Failed connection attempt - 1.Jul.2005 3:42:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I now have the save thing with another protocol.

Initiated from client to ISA port 8080 (no rule)

Allowed from client to dest ip port 80 dest URL (rule)

Failed from client to ISA port 8080 dest URL (rule)

Closed from client to ISA port 8080 (no rule)

This happens over and over in the above pattern. Port 8080 to ISA is the failure in this one.

What do I have set wrong on my ISA server?

[ July 01, 2005, 03:46 PM: Message edited by: tjcarst ]

(in reply to tjcarst)
Post #: 3
RE: SSL-tunnel Failed connection attempt - 5.Jul.2005 2:22:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
No one else is having this issue? Or has someone found a resolution?

tjcarst

(in reply to tjcarst)
Post #: 4
RE: SSL-tunnel Failed connection attempt - 15.Jul.2005 11:12:00 AM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I am resuming work on this project again and still have no idea why I can't get through ISA.

If I bypass ISA and go through my external watchguard firewall, it works.

tjcarst

(in reply to tjcarst)
Post #: 5
RE: SSL-tunnel Failed connection attempt - 21.Jul.2005 11:50:00 AM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Still looking for suggestions on this one.

Bypass ISA, connection is fine.

I've tried making the client a SecureNAT client, enabling/disabling the firewall client, setting the firewall application to DisableEx 0 and 1 for WFICA32.

The only thing that works is to bypass ISA. I work at a health care facility. This application lets doctors view xrays from community hospitals through a Metaframe XP server at the remote hospitals. There is a lot of pressure to provide this viewing to our doctors. I'm afraid I'll be foreced to bypass ISA and I certainly don't want to do this.

tjcarst

(in reply to tjcarst)
Post #: 6
RE: SSL-tunnel Failed connection attempt - 21.Jul.2005 4:13:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi tjcarst,

are you sure that HTTP/HTTPS are the only protocols needed? Depending on the Citrix configuration and version, it might be necessary to allow the ICA (TCP port 1494) and/or CGP (TCP port 2598) protocol too. Also, if everything is encapsulated in HTTPS, is it still Web Proxy aware? Maybe you should configure those destinations for direct access.

If you can connect to the NFuse web site, instead of double clicking a published application, right click the link and save it to your desktop. You can open the *.ica file with notepad to verify the communications parameters.

HTH,
Stefaan

(in reply to tjcarst)
Post #: 7
RE: SSL-tunnel Failed connection attempt - 21.Jul.2005 5:39:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
2598 and 1494 are also enabled.

There are no denies in the ISA log for anything. Just failed connection attempt. It shows different protocols for port 443, smetimes HTTPS, SSL-tunnel or just plain old 443.

I'd be happy to send a detailed log if it would be of use in troubleshooting.

I can get to the site, but when I right click and save the application to my desktop, it is just a link, not the ica file.

I have created a cache rule that denies http and ftp caching. Is this what you mean by direct access or is there something I'm missing?

tjcarst

[ July 21, 2005, 05:42 PM: Message edited by: tjcarst ]

(in reply to tjcarst)
Post #: 8
RE: SSL-tunnel Failed connection attempt - 21.Jul.2005 5:50:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Direct access? I am guessing that you mean create a web chaining rule that retrieves the request directly from the internet. If so, I've done that with the same error.

(in reply to tjcarst)
Post #: 9
RE: SSL-tunnel Failed connection attempt - 21.Jul.2005 6:16:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I created a web chaining rule with direct retrieval from the internet for the site with no caching.

I went to web chaining, bridging, and set redirect SSL requests as SSL. I tried it with and without require secure channel and with and without 128 bit encryption. Same error.

The Citrix connection starts regardless of ISA. Initializing, Connection in progress... and here is the difference:

When I bypass ISA, the application starts up and shows, Checking for personal settings, Applying personal settings, Running login scripts, Checking for newer client versions, AND then the application logon screen appears.

When I go through ISA, the application never starts up, it stops at the Citrix Connection in progress.

There are no denies in ISA, only the failed connection attempt.

[ July 22, 2005, 11:12 AM: Message edited by: tjcarst ]

(in reply to tjcarst)
Post #: 10
RE: SSL-tunnel Failed connection attempt - 22.Jul.2005 11:49:00 AM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I'm also curious as to why destination port 443 sometimes is shown as protocl SSL-tunnel and sometimes protocol HTTPS. It always fails on destination port 443 when the protocol is blank, neither SSL-tunnel or HTTPS. Sometimes the failure indicates SSL-tunnel, never HTTPS.

HTTP Status code 995 is logged when the actual URL is listed with source network internal, destination ip the actual internet ip of the server, and destination protocol SSL-tunnel.

HTTP Status code of 13 is logged when no URL is listed with source network blank, destination ip the actual internet ip of the server, and destination protocol is blank.

[ July 22, 2005, 12:36 PM: Message edited by: tjcarst ]

(in reply to tjcarst)
Post #: 11
RE: SSL-tunnel Failed connection attempt - 22.Jul.2005 3:43:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi tjcarst,

for direct access, check out:
- http://www.isaserver.org/articles/2004directaccessp1.html
- http://www.isaserver.org/articles/2004directaccessp2.html

quote:
I can get to the site, but when I right click and save the application to my desktop, it is just a link, not the ica file.
Where does that link point to? Maybe it is good thing to take a NetMon trace to find out how it really works on the wire.

HTH,
Stefaan

(in reply to tjcarst)
Post #: 12
RE: SSL-tunnel Failed connection attempt - 25.Jul.2005 3:20:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Thanks for the links. I knew that and actually use it to for OMA and OWA. I don't know what I'm thinking.

I did a netmon capture using the hardware firewall as my gateway and disabling the firewall client and web proxy. I do not see that the link goes anywhere except to the one ip address, but I'm not skilled in reading netmon results. I did a capture with the ISA server as the gateay, the firewall client enabled, and web proxy. I cannot see the ip address even listed in the capture.

I set the internet ip address as a direct access address, and still receive the same error. With and without the firewal client enabled.

tjcarst

(in reply to tjcarst)
Post #: 13
RE: SSL-tunnel Failed connection attempt - 25.Jul.2005 3:25:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I do not give out a default gateway to my clients. I am only using one now for testing. If I bypass ISA for the ip address of the server, I cannot access this site with just the firewall client.

(in reply to tjcarst)
Post #: 14
RE: SSL-tunnel Failed connection attempt - 25.Jul.2005 4:04:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi tjcarst,

it sounds that the ISA server is not the only exit point of your network. If so, can you make a little diagram to clarify your general network design?

If you like, you can place the Netmon captures on your website and post here the URL's. We can then take a look at them.

HTH,
Stefaan

(in reply to tjcarst)
Post #: 15
RE: SSL-tunnel Failed connection attempt - 25.Jul.2005 4:21:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I do have access out directly through the hardware firewall, but this will be changing so the only exit is the ISA server.

ISA's external nic 10.1.0.3 is connected to the optional port 10.1.0.3 of the hardware firewall. The hardware firewall has a connection on the trusted network of 172.16.0.1. ISA has a connection on trusted network 172.16.0.3

optional 10.x.x.x
ISA -> Watchguard
172.16.0.3 | 172.16.0.1
|
Trusted network
172.16.x.x

I will change this so the trusted port of the watchguard is 10.0.0.1 and the only way out is through ISA which will go through the watchguard.

(in reply to tjcarst)
Post #: 16
RE: SSL-tunnel Failed connection attempt - 25.Jul.2005 4:34:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I have the captures on my website. I don't want to expose that much of my network on the internet. I don't think your profile has enabled private messages.

(in reply to tjcarst)
Post #: 17
RE: SSL-tunnel Failed connection attempt - 25.Jul.2005 4:42:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Do you have access to the info@isaserv.org mailbox? I can send them there.

(in reply to tjcarst)
Post #: 18
RE: SSL-tunnel Failed connection attempt - 25.Jul.2005 4:42:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi tjcarst,

send the links to stefaan dot pouseele at skynet dot be .

HTH,
Stefaan

(in reply to tjcarst)
Post #: 19
RE: SSL-tunnel Failed connection attempt - 25.Jul.2005 5:09:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Done. Thank you.

(in reply to tjcarst)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> SSL-tunnel Failed connection attempt Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts