Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SSL
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SSL - 7.Dec.2004 12:20:00 PM
|
|
|
RAB
Posts: 43
Joined: 17.Aug.2004
Status: offline
|
I have a problem in gaining access to the secure pages on one site. When entering username and password I receive the following error...
Network Access Message: The page cannot be displayed
Technical Information (for Support personnel)
Error Code: 502 Proxy Error. The connection was reset by a peer. For more information about this event, see ISA Server Help. (10054)
IP Address: 195.33.101.82
Date: 06/12/2004 12:39:05
Server: <ISA Server>
Source: proxy
I know this is some form of SSL error but already have rules set up to allow access to HTTPS and HTTPS Server via 443 (I have checked this port is correct with the host).
When trying to access the site, ISA logging reports that the request on port 80 (HTTP) is allowed but on port 443 (SSL-Tunnel) reports a failed connection attempt.
Can anyone help?????
|
|
|
|
|
RE: SSL - 7.Dec.2004 3:19:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi RAB,
What site is this? We can test the problem with this information.
HTH,
Tom
|
|
|
|
|
RE: SSL - 7.Dec.2004 4:26:00 PM
|
|
|
RAB
Posts: 43
Joined: 17.Aug.2004
Status: offline
|
Now resolved. There was a problem when trying to open the tunnel from the host server.
|
|
|
|
|
RE: SSL - 22.Dec.2004 1:35:00 PM
|
|
|
PaulCyr
Posts: 60
Joined: 17.Mar.2001
From: Charlottetown, PE, Canada
Status: offline
|
I am experiencing this very same issue.
What exactly resolved it?
I have the local-host in with the rule associated with the SSL-Tunnel or HTTPS protocol traffic but I keep getting "Failed Connection Attempt"
The web site is the following:
https://ops.eroute.ca/ops/common/logon.asp
I know that they strictly control what IP addresses can establish sessions to their web site but they assure me that the external IP address of my new ISA 2004 server is in the list.
Any ideas how I can troubleshoot this further?
Or perhaps just point me to the correct section of Tom Shinder's new book.
Thanks.
|
|
|
|
|
RE: SSL - 29.Dec.2004 10:00:00 PM
|
|
|
UnifiedIT
Posts: 31
Joined: 20.Oct.2004
From: Grand Rapids, MI.
Status: offline
|
I would also like to know the answer for this. I have apps that request labels from UPS.com:443 and I keep getting failed when I use the ISA 2004 proxy.
|
|
|
|
|
RE: SSL - 30.Dec.2004 6:00:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by PaulCyr:
I am experiencing this very same issue.
What exactly resolved it?
I have the local-host in with the rule associated with the SSL-Tunnel or HTTPS protocol traffic but I keep getting "Failed Connection Attempt"
The web site is the following:
https://ops.eroute.ca/ops/common/logon.asp
I know that they strictly control what IP addresses can establish sessions to their web site but they assure me that the external IP address of my new ISA 2004 server is in the list.
Any ideas how I can troubleshoot this further?
Or perhaps just point me to the correct section of Tom Shinder's new book.
Thanks.
Hi Paul,
I'm not sure I understand the problem. If they're using standard SSL ports, there shouldn't be a problem accessing from a client behind the ISA firewall.
HTH,
Tom
|
|
|
|
|
RE: SSL - 30.Dec.2004 6:02:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by UnifiedIT:
I would also like to know the answer for this. I have apps that request labels from UPS.com:443 and I keep getting failed when I use the ISA 2004 proxy.
Hi IT,
What rule is blocking the connection? What URL can't you get to?
Thanks!
Tom
|
|
|
|
|
RE: SSL - 31.Dec.2004 4:06:00 PM
|
|
|
UnifiedIT
Posts: 31
Joined: 20.Oct.2004
From: Grand Rapids, MI.
Status: offline
|
Test UPS for ShipConfirm - https://wwwcie.ups.com/ups.app/xml/ShipConfirm
Test UPS for ShipAccept - https://wwwcie.ups.com/ups.app/xml/ShipAccept
Test UPS for Voids - https://wwwcie.ups.com/ups.app/xml/Void
Test UPS for Returns - https://wwwcie.ups.com/ups.app/xml/Return
Test UPS for Tracking - https://wwwcie.ups.com/ups.app/xml/Track
1st rule - allow dns from internal to external for all users
2nd rule - allow all outbound traffic from quarantined VPN clients and VPN clients to internal for VPN admins and VPN users.
3rd rule - allow all outbound access from internal to external and internal for IT users
4th rule - allow HTTP and HTTPS from internal to Domain name set (allowed domains) for all authenticated users
5th rule - Deny all outbound teaffic from internal to domain name set(Blocked Domains) for all authenticated users
6th rule - Allow HTTP and HTTPS from internal to externternal for all authenticated users.
Last rule - deny all
The site is being blocked when accessed through an in house application. The ruile that is blocking it is the third rule from above. According to our programmers this app does nothing more than access the site as you would if you were to type it into a web browser.
When I put allow all protocols form internal to external for all users it goes through fine. When I allow all protocols from internal to external for IT users (which I am a part of) it does not work. Do you think that it could be an authentication issue?
|
|
|
|
|
RE: SSL - 3.Jan.2005 5:05:00 PM
|
|
|
UnifiedIT
Posts: 31
Joined: 20.Oct.2004
From: Grand Rapids, MI.
Status: offline
|
This works great when I add all users to the rule and remove all authenticated users. Then disable the IT users rule. Basically removing authentication. Is there an issue with SSL through web proxy with authentication? I have read a couple articles from Microsoft but nothing to say that it shouldn't work.
|
|
|
|
|
RE: SSL - 6.Jan.2005 9:38:00 PM
|
|
|
UnifiedIT
Posts: 31
Joined: 20.Oct.2004
From: Grand Rapids, MI.
Status: offline
|
Create a rule that allows HTTP and HTTPS form internal to external for UPS.com. Works great
|
|
|
|
|
RE: SSL - 12.Jan.2005 6:12:00 AM
|
|
|
eugene
Posts: 8
Joined: 2.Jan.2002
Status: offline
|
I have a similar problem. We have some contractual employees who are allowed to access just one site uses SSL. We setup a rule to allow access by these employees to use HTTP/HTTPS from the internal network to a URL set containing the domains.
However, when they access the site, the rule shows a "Failed Connection Attempt". However, if we include all external sites, they are able to access the site with no problems.
Any idea what I am missing here?
|
|
|
|
|
RE: SSL - 14.Jan.2005 9:44:00 AM
|
|
|
pargyrak
Posts: 1
Joined: 14.Jan.2005
Status: offline
|
Hi all,
I have a similar problem here. I have five different sites with ISA 2000 same configuration in all. There are two DMZ ISA 2004 proxies both with the same configuration.
Users is all sites can access OWA websites but two out of three can not access hotmail, no matter which DMZ proxy their chained to.
However I get the same message in the logs of the DMZ proxies for both the failes and the successful attempts:
Action: Failed connection Attempt
Destination port: 443
Rule: Authorizes Access & protocols ( The rule allows HTTP and HTTPs access towards the internet from all internal proxies).
Internal proxies authenticate the uesrs, the DMZ ones do not need authentication
Any ideas?
pargy
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
