From: Moscow, Russia
Recently I tried to access an external FTP server from my network through ISA 2004 (SP2) via webproxy client (HTTP Connect method) and got an error:
HTTP/1.1 502 Proxy Error (The specified Secure Sockets Layer (SSL) port is not allowed. ISA server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.)
This I searched the Net and found nothing on this. At Rebex.net there was a FAQ with a glue:
Q: I get an exception "Error 502 returned by a HTTP proxy (...)" when connecting through Microsoft ISA Server using HttpConnect proxy. Why?
A: The whole exception message is probably:
"Error 502 returned by a HTTP proxy (Proxy Error (The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.))."
This is caused by the default behavior of Microsoft ISA server, which only allows requests to ports 443 and 563 using its HTTP Connect method. (Primary use of HTTP Connect is to allow SSL connections to HTTPS servers).
The Microsoft Knowledge Base article Q283284 addresses this issue.
To access FTP sites through ISA server's HTTP proxy, access to all ports must be allowed. FTP's control connection port is 21 by default, but data connections can use virtually any port, because it is assigned by the FTP server. (Although allowing port 21 and ports >1024 should be enough, there might be exceptions.)
To allow connections to all ports through the HTTP proxy, following VB script must be run on the ISA server:
set tmp=tprange.AddRange("FTP", 1, 65535)
After the script is run and "Microsoft ISA Server Control" service is restarted, it should work.
I slightly changed the script as it didnít run properly (an error saying ďthe object doesnít support this property or methodĒ):
Set root = CreateObject("FPC.Root")
Set tpRanges = root.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges
set newRange = tpRanges.AddRange("FTP", 1, 65535)
Then I ran the script, restarted ISA Server machine and everything worked OK. Now Iím able to get to FTP sites using any FTP client that supports Webproxy (HTTP Connect). Hope it would help somebody.
P.S. Donít know how safe it is to allow all ports for FTP through webproxy?
Hi DaniiKireev, Thank for your useful information, can i ask you some thing? I've made a script file (ISA.vbs) and run it on the ISA 2004 server but I don't know what does the script edit on ISA server? and i just run the vbs file for 1 time, the second time it notices an error "cannot create a file when that file already exists", so please tell me how to delete the file created and run the script more. Thanks alot. NHT
From: Moscow, Russia
IMHO, This script does something that you cannot know exactly, because it uses ISA's own API (maybe adds something to registry). And yes it cannot be run twice, the second time you run it an error appears (I don't know whether or not any files are created by this script).
To remove the changes the script does I would suggest running another script, something like this:
Dim root Dim tpRanges Dim removeRange Set root = CreateObject("FPC.Root") Set tpRanges = root.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges set removeRange = tpRanges.Remove("FTP") tpRanges.Save True