Welcome to ISAserver.org

https not working

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Web Proxy] >> General >> https not working

Page: [1]

Message

<< Older Topic Newer Topic >>

https not working - 28.Nov.2006 7:41:27 AM

tedw

Posts: 3
Joined: 28.Nov.2006
Status: offline

Hi Everyone,
I've just setup my ISA server's web proxy and tested it by changing my web browser LAN settings to point to the ISA server. Everything is working well on normal http traffic it records username and the website they are visiting but when it comes to https traffic I get an error message in the web browser:
Network Access Message: The page cannot be displayed
Technical Information (for Support personnel)
Error Code: 504 Proxy Timeout. The connection timed out. (10060)
IP Address: xxx.xxx.xxx.xxx
Date: 29/11/2006 15:14:12 [GMT]
Server: isa.mydomain.com
Source: proxy
I've played around with some settings but I can't get it to work.
Settings I�ve tried include:
On the internal network properties / Web proxy page I enabled SSL on port 8443,
I added HTTPS to the same rule as HTTP is working on; I�ve tried enabling the web proxy filter in the application filters part of the HTTPS Protocol,
In Internet Explorer I've unchecked Use Same Proxy Server for All Protocols and changed the Secure setting to use port 8443
But still no luck.
When I look in the logs for normal HTTP that works I get first line says:
8080 http       Denied connection     Anonymous     http://www.website.com HTTP/HTTPS Rule
80      http     Allowed Connection    MyUserName   http://www.website.com HTTP/HTTPS Rule
8080 http proxy        Initiate Connection                       No Rule
More or Less and that works fine
But when i try to connect to a website using HTTPS the log looks like this:
443 https           initiate connection                                     No Rule
443 https           Close connection                                      No Rule
Has Anyone got any suggestions I could try
Oh yeah I�m using ISA Standard 2006

Many thanks in advance

< Message edited by tedw -- 30.Nov.2006 3:36:09 AM >

Post #: 1

Featured Links*

RE: https not working - 5.Dec.2006 12:26:30 PM

kyle_s

Posts: 3
Joined: 5.Dec.2006
Status: offline

Hey,

I feel your pain. I spent a full day trying to figure out this exact same problem, with the exception that my server is ISA2004. 2006 may be a little bit different, but try going to networks->network rules->internet access->network relationship-> change it from route to NAT. It seems like NAT is a little bit slower than routed, but I can't complain about working vs. not.

(in reply to tedw)

Post #: 2

RE: https not working - 6.Dec.2006 10:36:05 AM

tedw

Posts: 3
Joined: 28.Nov.2006
Status: offline

Thanks for the answer,

I've tried both NAT and Route it doesn't work for both i've also tried direct access and that doesn't work either. Oh well i keep playing around i'll hopfully get there in the end.

Cheers

(in reply to kyle_s)

Post #: 3

RE: https not working - 6.Dec.2006 5:46:02 PM

Jason Jones

Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

You don't need to enable the SSL 8443 listener on the internal network object as this is a legacy setting for web chaining, not for SSL proxying as you may think.

Just configure the internal network object to use 8080 and then configure IE to use port 8080 for all protocols including secure. ISA will then proxy HTTP and HTTPS using this single listening port.

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tedw)

Post #: 4

RE: https not working - 11.Jan.2007 2:54:03 PM

RayH

Posts: 20
Joined: 1.Nov.2006
Status: offline

Sorry to open up an old topic but I think I am having the problem.
We have a single NIC ISA 2006 used as a proxy and logging server.
Everything works great except when trying to access a website that tries to open a page using the following format: - https://xxx.xxx.com:8443/xxx/xxx
In the log it says Failed Connection Attempt

My internal network is set for 8080 as is Internet Explorer.
How can I gain access to this webpage?
I am not going to ask how to OPEN A PORT in case of ridicule!

Thanks

(in reply to Jason Jones)

Post #: 5

RE: https not working - 11.Jan.2007 6:55:12 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Ray,

check out Extending the ISA Firewall�s SSL Tunnel Port Range (2004).

HTH,
Stefaan

(in reply to RayH)

Post #: 6

RE: https not working - 11.Jan.2007 7:52:57 PM

RayH

Posts: 20
Joined: 1.Nov.2006
Status: offline

Thank you Stefaan
The script is no longer there but ISATRPE worked a treat.

Any idea what it did? I've looked at the rules and everywhere I can think off but cannot find any references to the new port.

(in reply to spouseele)

Post #: 7

RE: https not working - 12.Jan.2007 8:07:55 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Ray,

yeah... Jim has revised his site. So, just go to his homepage http://www.isatools.org and you'll find a lot of good stuff.

A simple search on "tunnel port range" gives:
- http://support.microsoft.com/kb/283284/
- http://www.microsoft.com/technet/isa/2004/plan/managingtunnelports.mspx
- http://msdn2.microsoft.com/en-us/library/ms825517.aspx

BTW --- ISA 2004 and 2006 are very simular to each other. However, ISA 2000 is conceptually a complete other beast.

HTH,
Stefaan

(in reply to RayH)

Post #: 8

RE: https not working - 12.Jan.2007 12:06:24 PM

RayH

Posts: 20
Joined: 1.Nov.2006
Status: offline

Thanks for the links.
I am disappointed though that this cannot be set via the ISA frontend and looks to me that it can olny be handled via VB scripts.
Maybe the next version will have an option.

(in reply to spouseele)

Post #: 9

RE: https not working - 12.Jan.2007 2:49:18 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Ray,

if it can't be set in the GUI than that means that not enough customers are complaining about it. Feel free to contact Microsoft to put it on the whishlist for the next service pack or version.