• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Can access HTTPS (SSL) sites from internal network

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Can access HTTPS (SSL) sites from internal network Page: [1]
Login
Message << Older Topic   Newer Topic >>
Can access HTTPS (SSL) sites from internal network - 9.Aug.2007 8:44:25 PM   
artemgassan

 

Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
Can some one guide me to right direction?

I am have a problem with accessing secure sites from my co-location center (internal network).
None of my servers can access SSL sites. Example: https://www.amazon.com.

I have couple of SSL rules setup on my firewall and they work just fine. People can access ALL ssl sites outside of firewall (protected) network.
I am using Web Server Publishing Rule (HTTPS Rule). I can access all sites that running on my servers using https protocol only from firewall, all servers that behind firewall can't access either internal or external SSL sites.

Please advise what kind of rule I have to create in order to access https://www.amazon.com or any external ssl sites.

Here is my technical characteristics:
1. Firewall Server
   Microsoft Firewall 2004 running on Windows 2003 Enterprise Edition.
   Service Pack Installed for Windows 2003
   Service Pack Installed for ISA Server 2004
   No ISA firewall client running on it.
2. Web Servers that behind firewall and al using internal IP address.
   Windows 2003 Enterprise Edition
   Service Pack Installed
   No ISA firewall client running on it.

P.S. Since I could not find any help online I got a book Dr. Tom Shinder's Configuring ISA Server 2004
May be show me page number where I can get help with solving this problem.

Best Regards
Artem Gassan
Post #: 1
RE: Can access HTTPS (SSL) sites from internal network - 10.Aug.2007 3:14:47 AM   
ianfermo

 

Posts: 235
Joined: 7.Nov.2004
From: Zamboanga, Philippines
Status: offline
Hi,

Are you sure you have the allow rule for HTTPS.

ex. Allow HTTPS from Internal to External

Cheers...

(in reply to artemgassan)
Post #: 2
RE: Can access HTTPS (SSL) sites from internal network - 10.Aug.2007 12:53:53 PM   
artemgassan

 

Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
I have Access Rule called "Private Traffic"
From: Internal
         Local Host
         VPN Clients
To:
         External
         Internal
         Local Host
         VPN Clients
Protocol:
         All outbound traffic

Order number 3 in Firewall Policy
I also tryed to anable ALLOW ALL ACCESS RULE
Protocol:
      All Outbound Traffic
From:
      All Networks (and Local Host)
To:
       All Networks (and Local Host)
Doen't work too.

Here is error message I am getting for VPN user:
Denied Connection Phobos 8/10/2007 12:47:42 PM Log type: Firewall service Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer. Rule: Source: VPN Clients ( 192.168.10.19:4607) Destination: External ( 72.21.203.1:443) Protocol: HTTPS
Here is error message I am getting from server that behind firewall.
Denied Connection Phobos 8/10/2007 12:50:33 PM Log type: Firewall service Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer. Rule: Source: Internal ( 192.168.20.15:3885) Destination: External ( 72.21.206.5:443) Protocol: HTTPS
Every time I hit SSL site like https://www.amazon.com
I am getting 3 records:
1 record:
   Action: Initiated Connection
   Rule: Private Traffic
   Protocol: HTTPS
   Destination Port: 443
   Source Network: Internal
   Destination Network: External
2 record:
   Action: Closed Connection
    Rule: Private Traffic
    Protocol: HTTPS
    Destination Port: 443
   Source Network: Internal
    Destination Network: External
3 record:
    Action: Denied Connection
    Rule: Private Traffic
    Protocol: HTTPS
    Destination Port: 443  
   Source Network: Internal
    Destination Network: External


  

(in reply to ianfermo)
Post #: 3
RE: Can access HTTPS (SSL) sites from internal network - 10.Aug.2007 1:12:17 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
Are you by chance using Firefox?  Of course this was not through VPN.  That adds another little wrench into the works.  Anyway, I created an exception rule for caching...cleared the cache...and the site now works just fine.  The Firefox users are happy now.

< Message edited by jmilito -- 10.Aug.2007 1:15:32 PM >

(in reply to artemgassan)
Post #: 4
RE: Can access HTTPS (SSL) sites from internal network - 10.Aug.2007 1:16:56 PM   
artemgassan

 

Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
I am using Internet Explorer 7 on all my servers that behind firewall.
I just cleared all my cache, cookies, history, add-ons. Closed browser.
Open it again and still same issue.

(in reply to jmilito)
Post #: 5
RE: Can access HTTPS (SSL) sites from internal network - 10.Aug.2007 1:18:39 PM   
artemgassan

 

Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
Just so you know I am not using ISA client firewall and my IE settings for Local Area Network is not setup to use proxy server

(in reply to artemgassan)
Post #: 6
RE: Can access HTTPS (SSL) sites from internal network - 10.Aug.2007 1:28:21 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
The exception rule was created on the ISA server's cache configuration.  However I think you have another beast at work here because it works fine in my IE 7 with ISA 2004 configuration.  I think ianfermo is right...  Check your access rules.  Pg 509 in my book version.  Create an all open rule for a TEST workstation/server ip , place near the top of your custom rules, and see if this fixes your issue.  If it does you definitely need to re-evaluate your rule set.

(in reply to artemgassan)
Post #: 7
RE: Can access HTTPS (SSL) sites from internal network - 10.Aug.2007 1:53:32 PM   
artemgassan

 

Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
Thank you for you reply.

Ok, I created new Access Rule, placed this rule before any other rules.
Access Rule Name: TEST
Action:  Allow
Protocol: All outbound traffic
From: I added 2 address ranges
         1. Private network (192.168.20.0-192.168.20.255)
         2. Public network (208.68.xxx.xxx-208.68.xxx.xxx)
To:
         1. Private network (192.168.20.0-192.168.20.255)
          2. Public network (208.68.xxx.xxx-208.68.xxx.xxx)
         3. External

Open IE 7 on my Windows 2003 server that has IP addess 192.168.20.15/16
Typed in in browser https://www.amazon.com did not work

So I went and run logging to see request and which rule firewall using:
And it was using
192.168.20.15                Phobos    -        TCP    -                        -                4330    0    0    0    0x0         0x0    0x0    Firewall    8/10/2007 1:44:27 PM    72.21.210.11    443    HTTPS    Initiated Connection    TEST    192.168.20.15        Internal    External    -    -
192.168.20.15                Phobos    -        TCP    -                        -                4330    0    0    4213    0x80074e24 FWX_E_CONNECTION_KILLED        0x0    0x0    Firewall    8/10/2007 1:44:27 PM    72.21.210.11    443    HTTPS    Closed Connection    TEST    192.168.20.15        Internal    External    -    -
192.168.20.15 
               Phobos    -        TCP    -                        -                4330    0    0    0    0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED        0x0    0x0    Firewall    8/10/2007 1:44:29 PM    72.21.210.11    443    HTTPS    Denied Connection        192.168.20.15        Internal    External    -    -

Request error that i get is FWX_E_TCP_NOT_SYN_PACKET_DROPPED

I aslo looked at my cache rules
All I have is default rule from ISA
Name: Last Default rule
To: All Networkes (and Local Host)
HTTP tab: not checked (Enable HTTP caching)
FTP tab: not checked (Enable FTP caching)

(in reply to jmilito)
Post #: 8
RE: Can access HTTPS (SSL) sites from internal network - 10.Aug.2007 2:04:08 PM   
artemgassan

 

Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
I also went to see which services is running
I have HTTP SSL is running
I have World Wide Web is running

I open IIS and looked at all site that running on firewall server and which port they are using:

Default Web Site Port: 8088
Microsoft SharePoint Admin: 2257
None of the uses 443 port

(in reply to artemgassan)
Post #: 9
RE: Can access HTTPS (SSL) sites from internal network - 10.Aug.2007 2:06:50 PM   
artemgassan

 

Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
Please advise If I have to do anyhing that Microsoft shows:
http://support.microsoft.com/kb/283284

set isa=CreateObject("FPC.Root")
set tprange=isa.Arrays.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges
set tmp=tprange.AddRange("SSL 9443", 9443, 9443)
tprange.Save

(in reply to artemgassan)
Post #: 10
RE: Can access HTTPS (SSL) sites from internal network - 10.Aug.2007 9:28:29 PM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
Ahhhh... But of course. You need to tunnel ports. You can find a number of tools out there but one location for them is:

http://isatools.org/tools.asp?Context=ISA2004

< Message edited by jmilito -- 11.Aug.2007 7:49:20 AM >

(in reply to artemgassan)
Post #: 11
RE: Can access HTTPS (SSL) sites from internal network - 11.Aug.2007 9:54:34 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
quote:


Here is error message I am getting for VPN user:
Denied Connection Phobos 8/10/2007 12:47:42 PM Log type: Firewall service Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer. Rule: Source: VPN Clients ( 192.168.10.19:4607) Destination: External ( 72.21.203.1:443) Protocol: HTTPS
Here is error message I am getting from server that behind firewall.
Denied Connection Phobos 8/10/2007 12:50:33 PM Log type: Firewall service Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer. Rule: Source: Internal ( 192.168.20.15:3885) Destination: External ( 72.21.206.5:443) Protocol: HTTPS




Are you running Windows server 2003 service pack 2? Take a look at this ref. below. See item # 3 RSS issue when Windows Sever 2003 SP 2 is applied on server runing ISA.

http://blogs.technet.com/isablog/archive/2007/03/27/isa-server-and-windows-server-2003-service-pack-2.aspx


HTH
RB

(in reply to jmilito)
Post #: 12
RE: Can access HTTPS (SSL) sites from internal network - 11.Aug.2007 10:11:03 PM   
Rotorblade

 

Posts: 1348
Joined: 27.Feb.2007
Status: offline
quote:


Default Web Site Port: 8088
Microsoft SharePoint Admin: 2257
None of the uses 443 port


BTW: If you're running IIS on the ISA server, (which you should not be)  you also need to change IIS to use another port # other than 443. ISA will not be able to bind to it if you don't.

RB

(in reply to Rotorblade)
Post #: 13
RE: Can access HTTPS (SSL) sites from internal network - 13.Aug.2007 12:19:29 AM   
artemgassan

 

Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
Thanks you guys for all your help.

Today I performed the following:
   1. Uninstalled IIS
      a) I don't have no longer World Wide Web Publishing Service
      b) I don't have no longer IIS Admin Service
      c) FTP Publishing Service also not there
      d) HTTP SSL service still there but not running (Startup Type = Manual)
   After i remove IIS i restarted firewall server
   Open browser and tried to his https://www.amazon.com and https://www.yahoo.com no luck same problem
   I tried doing it on firewall server as well as internal server no luck too.

Then I downloaded ISA server 2004 Tunnel Port Editor (ISAtrpe) and it shows me the following tunnels
   1. FMS2                           Low (1935) High (1935)
   2. MDaemon                     Low (3000) High (3000)
   3. MDaemon Admin          Low (1000) High (1000)
    4. NNTP                           Low (563) High (563)
    5. SSL                               Low (443) High (433)
So far I see SSL port there

After that I tried the following
http://support.microsoft.com/default.aspx?scid=kb;EN-US;927695

No help eather.


(in reply to Rotorblade)
Post #: 14
RE: Can access HTTPS (SSL) sites from internal network - 13.Aug.2007 9:36:34 AM   
jmilito

 

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
You should be able to get to both those websites without tunneling ports.  By default ISA blocks all...  Do you have a rule allowing HTTPS for your internal clients?

(in reply to artemgassan)
Post #: 15
RE: Can access HTTPS (SSL) sites from internal network - 13.Aug.2007 10:32:09 AM   
artemgassan

 

Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
Thank you for your reply
Yes I do.

Ok, I found what was wrong. Not sure how it happend but here it is:
As you asked to check on my Access Rule for HTTPS requests.
I went in and start checking my FROM traffic and TO traffic, PROTOCOLS tabs everything looks fine.
Then I looked at PROTOCOLS TAB and I clicked on protocol name "HTTPS" and then "EDIT" button. On "PARAMETERS" tab I looked at Application Filters and "Web Proxy Filter" was selected. As soon as I deselected and commit my chanages. All HTTPS site become accesible for me.

Can you describe if this filter should be applied for HTTPS protocol (in my scenario I guess no) and if I need this filter set for HTTP protocol.

Best Regards.
Artem

(in reply to jmilito)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Can access HTTPS (SSL) sites from internal network Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts