SSL browsing that went through a VPN tunnel (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> Firewall Client


jeff14 -> SSL browsing that went through a VPN tunnel (18.Apr.2006 10:08:09 PM)

I've been trying to figure this one out for some time now, but just can't see where the problem is.  I think I'm overlooking something obvious - any suggestions?

I have an ISA 2000 SP2 server on our network with pretty much wide-open outbound access policy.   The HTTP Redirector filter is enabled and set to redirect to the local web proxy service.  Client machines have the MS Firewall client installed, but do not have any web proxy settings enabled in Internet Explorer.

HTTP Web browsing from any client machine works fine under this scenario.  But, HTTPS browsing to secure sites works only for some of our machines.  In troubleshooting this problem, it appears that if the HTTPS packets from the client machine travel through a VPN demand dial connection or a RRAS IPSEC tunnel connection BEFORE it reaches the ISA server, it will not be serviced correctly by the ISA server.  Furthermore, when HTTPS requests are made from those client machines through the encrypted tunnel, it ALWAYS causes the ISA server to become unstable for all ISA-related functions - necessitating a reboot.  Obviously a huge problem, since every time someone on the other end of a secure tunnel tries to access the Internet, it "crashes" Internet access for everyone throughout the entire organization.

Errors that I have seen include a BSOD with "PFN_LIST_CORRUPT", another BSOD that I cannot remember the description of, event 14198 (Web proxy service failed to create a network socket because there are no available ports on this computer).  The BSOD's seem random, but the Event 14198 is consistent.  However, all the suggestions I've found on the Internet for troubleshooting event 14198 I have tried with no success.

I want to keep an encrypted tunnel in place within our private network but still have HTTPS work for all client machines.  There are two reasons that I use encrypted tunnels for some of our PC's:
1.  For a wireless connection between two of our LAN sites.  ie. LAN1 connects through a wireless bridge to LAN2.  LAN2 connects to LAN3 through a traditional T1 line, and the ISA server lives on LAN3 and connects to the Internet.  I also have WEP enabled on this wireless link, but that doesn't seem to be the culprit.
2.  For a router-to-router persistent VPN connect from a remote site to the home office.  ie. LAN1 has its own Internet connection.  The router on LAN1 does a persistent VPN connection to the ISA server on LAN2 (which also acts as the RRAS server) at the corporate site.  I prefer that the users at the remote site access the Internet through the ISA server rather than through their local Internet connection so that ISA provides the firewall protection, and the router at the remote site is filtered so that it can only connect to the home server and only through PPTP.

On example 1 above (the more important of the two examples), if I enable IPSEC tunneling or VPN persistent demand-dial routing between the two sites, clients on the far side of the tunnel cannot access HTTPS pages through ISA and such accesses destabilize the server, necessitating a reboot.  If I set the client on the far side of the tunnel to use web proxy and disable the firewall client, they work fine through the tunnel.  Alternatively, if I remove the tunnel, HTTPS also works fine for the client, with the firewall client enabled.

Any suggestions?  I'm at the end of my abilities with this one.  I'm strongly hoping that this anomaly is corrected with ISA 2004 or ISA 2006 - one of which I will upgrade to as soon as I can.

Sorry for the lengthy explanation.  Thanks for taking the time to read and think about this one.

Page: [1]