Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Unable to access web published site via SSL from behind firewal

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Unable to access web published site via SSL from behind firewal Page: [1]
Login
Message << Older Topic   Newer Topic >>
Unable to access web published site via SSL from behind... - 7.Dec.2005 2:24:45 PM   
asdavey

 

Posts: 5
Joined: 29.May2003
Status: offline 		Problem in brief:

I have published an IIS 6 webserver, and have enabled HTTPS on the external listener. I can access the HTTPS site from the machine running ISA, and from external clients, but machines behind the firewall are unable to gain access. Browsers (both Firefox and IE) report problems about the connection being interrupted. All machines can access said website when using vanilla HTTP.

Background

I exported a self signed certificate from IIS6 to ISA 2004 (I then deleted the certificate from IIS 6). I then modified the web publishing rule so that the listener would accept HTTPS connections on port 443. I've also set it so that HTTPS connections are forwarded to my server as HTTP connections on port 80. All requests to the web server are set to appear to come from the original client.

Troubleshooting

As said above, I am able to access the HTTPS site when browsing from the ISA machine, or from an external machine. But any machine in my Upstairs Network Set (which is basically all machines on my network bar the printer downstairs) are unable to browse via HTTPS. HTTP is fine.

I've tried telnetting to the site on port 443, and am able to establish a connection. However, once I type a single character into the telnet console, the connection is terminated. This may not have anything to do with anything (I have no idea what the HTTPS protocol looks like - I've just assumed its like HTTP).

When I looked at ISA's logging, I see the following whenever I try to connect with a machine in the Upstairs Network Set. 

Log Time  | Destination IP  | Dest Port | Protocol | Action               | Rule                                                  | Client IP      | Source Network | Destination Network | Result Code
========================================================================================================================================================================================================
7/12/2005 | my public ip    |       443 | HTTPS    | Initiated Connection | Upstairs clients All Protocols access to the Internet | 192.168.0.100  | Upstairs       | Local               | Ho0x0
7/12/2005 | my public ip    |       443 | HTTPS    | Closed Connection    | Upstairs clients All Protocols access to the Internet | 192.168.0.100  | Upstairs       | Local               | Ho0x80074e20


If you look at the last column in the last row of the above, you will notices the when the connection was closed, a result code of 0x80074E20 was recorded.

I looked up result code 0x80074E20 and basically the help says this means "A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake."

I'm guessing that the result code is the key to my problem, but I don't know

I really appreciate anybodies help in this matter.

Andy
Post #: 1
RE: Unable to access web published site via SSL from be... - 7.Dec.2005 5:54:32 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Andy,

The problem is that you should be using Direct Access for clients behind the firewall, and not looping back through the ISA firewall to access local resources.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to asdavey)
Post #: 2
RE: Unable to access web published site via SSL from be... - 7.Dec.2005 11:06:39 PM   
asdavey

 

Posts: 5
Joined: 29.May2003
Status: offline 		Thanks for the reply Tom.

I assume the key to enabling direct access as opposed to routing traffic through ISA is a split DNS?

The reason I wanted to route through ISA was to test out my self signed certificate. That and we always route through ISA because we don't have a split DNS (seemed like less work). We've not had a problem with that decision until now.

The other question I have is, why does this only affect HTTPS traffic and not HTTP? Since requests forwarded to the web server via ISA used the original client's IP I thought that when the web server responded the response didn't go via ISA, but instead went directly to the client IP. I would have said that the client wouldn't like that, but there again, all our HTTP traffic is fine. It just seems odd. Maybe there is some key concept in the HTTPS protocol that I'm missing and don't understand.

Andy

(in reply to tshinder)
Post #: 3
RE: Unable to access web published site via SSL from be... - 10.Dec.2005 1:11:20 PM   
dingbat

 

Posts: 4
Joined: 23.Aug.2005
Status: offline 		Hi Andy,

Just letting you know I've got the same issue on SBS 2003 Premium servers that have been upgraded to ISA 2004 and SBS/Windows2003 SP1. I'm pretty confident that under ISA 2000 this scenario worked.

Unfortunately, in SBS there are good reasons to access the external web site internally, using the external address (eg https://remote.domain.com.au/). One example is ActivSync, which needs the external domain to work over GPRS, but can also be connected inside the network. Under SBS, the web site that holds ActiveSync, OWA and other stuff has two certificates - one external bound to ISA's web listeners (eg remote.domain.com.au) and one internal bound to IIS (publishing.domain.local). The SBS CEICW wizards sets all this up, and it works well out of the box. Split DNS will solve the resolution, but not the certificates in this scenario.

Interestingly, it does work looping through ISA if the web browser is a proxy client. But it doesn't work as a SecureNat client. I am getting the same issues you describe, "cannot find server" in IE, and connection terminated in Firefox.

Tom, being the ISA guru, can you confirm my suspicion that ISA 2004's behaviour is different to ISA 2000? If so, anything that we can do, other than making the internal machines web proxy clients?

Thanks

(in reply to asdavey)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Unable to access web published site via SSL from behind firewal Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts