Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SecureNAT Clients can't access some HTTPS sites
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SecureNAT Clients can't access some HTTPS sites - 24.Feb.2005 12:25:00 AM
|
|
|
DamoNZ
Posts: 3
Joined: 10.Feb.2005
From: New Zealand
Status: offline
|
We have identified an issue with a client pc acting as a SecureNAT client. We have found that when accessing secured pages on certain webservers, the request just times out.
A little background info:
Our SecureNAT clients with this issue have to traverse a VPN (Windows Server 2003 L2TP/IPSec) to access the ISA server. The VPN has an MTU of 1400.
If the clients are configured as Web Proxy clients, access to secured sites is fine. However we really want to get this problem sorted from a SecureNAT perspective.
Please note we are able to access *most* secure sites, just not *all*!
The Problem:
I have done a Network Capture on the RRAS server which is in the same network as the ISA server - I can see that it is sending an ICMP Unreachable (DF Set, MTU Next Hop=1400) message back to the web server in question. The problem is that this web server is not respecting the request to lower the MTU (I suspect that the ICMP message is being blocked at the web server end). So this is why requests time out.
I also performed a Network Capture on the External and Internal interfaces of the ISA server. When I perform HTTP requests from my SecureNAT client I can see that the ISA server receives the responses on it's external interface with a packet size of 1500 (the same as the HTTPS responses), but then when ISA sends these on to the SecureNAT client it is sending them as packets of 576 bytes in length. But when the response is HTTPS ISA doesn't seem to break it down to 576 byte packets, instead it leaves them at 1500 (which is why the RRAS server sends back the ICMP response).
My question is why doesn't this same behaviour apply with HTTPS requests? Is there a way to force ISA to do this for HTTPS requests as well as HTTP requests?
Due to the fact it works if the client is configured as a WebProxy client I assume that ISA is able to break the HTTPS requests into smaller packets - hoping someone can help!
Regards,
Damon
|
|
|
|
RE: SecureNAT Clients can't access some HTTPS sites - 14.Mar.2005 9:09:00 PM
|
|
|
Rickymag
Posts: 509
Joined: 26.Nov.2003
From: SA
Status: offline
|
Hello Damon,
By default with out setting any MTU settings when browsing SSL sites as a secure NAT, web or Firewall client the browsing works seamlessly.
There must be another setting somewhere that has been changed.
Your diagnosis is good and its the way to go about analyzing in detail however do not get the issue clouded with packet captures. I suggest you look at the firewall from a more simplistic aspect.
F you do not come right i have dealt with these issues before especially in back to back scenarios and transparent proxies they fiddle a little.
Let me know'
Rickym At Fastennet.com
HTH
RM
|
|
|
|
RE: SecureNAT Clients can't access some HTTPS sites - 29.Nov.2005 4:19:51 AM
|
|
|
vinchan1
Posts: 80
Joined: 20.Apr.2003
From: Hong Kong
Status: offline
|
I also found such problem in my ISA2004. I found that it was happened after I update the ISA2004 to the latest patch and service pack. I don't know which update is wrong.
|
|
|
|
RE: SecureNAT Clients can't access some HTTPS sites - 29.Nov.2005 5:21:06 AM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
IIRC, ISA2K4SP1 turns off PMTUDiscovery on W2K3 so you may want to check that and re-enable it.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: SecureNAT Clients can't access some HTTPS sites - 6.Dec.2005 10:51:43 AM
|
|
|
vinchan1
Posts: 80
Joined: 20.Apr.2003
From: Hong Kong
Status: offline
|
After further experiment, I found that SecureNAT can access "https" web site after I disable the "web proxy filter" in https protocol.
It seems that the web proxy filter will interface the proper operation of https rule.
I don't know why? But it is acceptable for me to disable such filter in https protocol.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
