Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
Can some one guide me to right direction?
I am have a problem with accessing secure sites from my co-location center (internal network). None of my servers can access SSL sites. Example: https://www.amazon.com.
I have couple of SSL rules setup on my firewall and they work just fine. People can access ALL ssl sites outside of firewall (protected) network. I am using Web Server Publishing Rule (HTTPS Rule). I can access all sites that running on my servers using https protocol only from firewall, all servers that behind firewall can't access either internal or external SSL sites.
Please advise what kind of rule I have to create in order to access https://www.amazon.com or any external ssl sites.
Here is my technical characteristics: 1. Firewall Server Microsoft Firewall 2004 running on Windows 2003 Enterprise Edition. Service Pack Installed for Windows 2003 Service Pack Installed for ISA Server 2004 No ISA firewall client running on it. 2. Web Servers that behind firewall and al using internal IP address. Windows 2003 Enterprise Edition Service Pack Installed No ISA firewall client running on it.
P.S. Since I could not find any help online I got a book Dr. Tom Shinder's Configuring ISA Server 2004 May be show me page number where I can get help with solving this problem.
Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
I have Access Rule called "Private Traffic" From: Internal Local Host VPN Clients To: External Internal Local Host VPN Clients Protocol: All outbound traffic
Order number 3 in Firewall Policy I also tryed to anable ALLOW ALL ACCESS RULE Protocol: All Outbound Traffic From: All Networks (and Local Host) To: All Networks (and Local Host) Doen't work too.
Here is error message I am getting for VPN user: Denied Connection Phobos 8/10/2007 12:47:42 PMLog type: Firewall service Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer. Rule: Source: VPN Clients ( 192.168.10.19:4607) Destination: External ( 72.21.203.1:443) Protocol: HTTPS Here is error message I am getting from server that behind firewall. Denied Connection Phobos 8/10/2007 12:50:33 PMLog type: Firewall service Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer. Rule: Source: Internal ( 192.168.20.15:3885) Destination: External ( 72.21.206.5:443) Protocol: HTTPS Every time I hit SSL site like https://www.amazon.com I am getting 3 records: 1 record: Action: Initiated Connection Rule: Private Traffic Protocol: HTTPS Destination Port: 443 Source Network: Internal Destination Network: External 2 record: Action: Closed Connection Rule: Private Traffic Protocol: HTTPS Destination Port: 443 Source Network: Internal Destination Network: External 3 record: Action: Denied Connection Rule: Private Traffic Protocol: HTTPS Destination Port: 443 Source Network: Internal Destination Network: External
Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
Are you by chance using Firefox? Of course this was not through VPN. That adds another little wrench into the works. Anyway, I created an exception rule for caching...cleared the cache...and the site now works just fine. The Firefox users are happy now.
< Message edited by jmilito -- 10.Aug.2007 1:15:32 PM >
Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
I am using Internet Explorer 7 on all my servers that behind firewall. I just cleared all my cache, cookies, history, add-ons. Closed browser. Open it again and still same issue.
Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
The exception rule was created on the ISA server's cache configuration. However I think you have another beast at work here because it works fine in my IE 7 with ISA 2004 configuration. I think ianfermo is right... Check your access rules. Pg 509 in my book version. Create an all open rule for a TEST workstation/server ip , place near the top of your custom rules, and see if this fixes your issue. If it does you definitely need to re-evaluate your rule set.
Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
Thank you for you reply.
Ok, I created new Access Rule, placed this rule before any other rules. Access Rule Name: TEST Action: Allow Protocol: All outbound traffic From: I added 2 address ranges 1. Private network (192.168.20.0-192.168.20.255) 2. Public network (208.68.xxx.xxx-208.68.xxx.xxx) To: 1. Private network (192.168.20.0-192.168.20.255) 2. Public network (208.68.xxx.xxx-208.68.xxx.xxx) 3. External
Open IE 7 on my Windows 2003 server that has IP addess 192.168.20.15/16 Typed in in browser https://www.amazon.com did not work
So I went and run logging to see request and which rule firewall using: And it was using 192.168.20.15 Phobos - TCP - - 4330 0 0 0 0x0 0x0 0x0 Firewall 8/10/2007 1:44:27 PM 72.21.210.11 443 HTTPS Initiated Connection TEST 192.168.20.15 Internal External - - 192.168.20.15 Phobos - TCP - - 4330 0 0 4213 0x80074e24 FWX_E_CONNECTION_KILLED 0x0 0x0 Firewall 8/10/2007 1:44:27 PM 72.21.210.11 443 HTTPS Closed Connection TEST 192.168.20.15 Internal External - - 192.168.20.15 Phobos - TCP - - 4330 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0 Firewall 8/10/2007 1:44:29 PM 72.21.210.11 443 HTTPS Denied Connection 192.168.20.15 Internal External - -
Request error that i get is FWX_E_TCP_NOT_SYN_PACKET_DROPPED
I aslo looked at my cache rules All I have is default rule from ISA Name: Last Default rule To: All Networkes (and Local Host) HTTP tab: not checked (Enable HTTP caching) FTP tab: not checked (Enable FTP caching)
set isa=CreateObject("FPC.Root") set tprange=isa.Arrays.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges set tmp=tprange.AddRange("SSL 9443", 9443, 9443) tprange.Save
Here is error message I am getting for VPN user: Denied Connection Phobos 8/10/2007 12:47:42 PMLog type: Firewall service Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer. Rule: Source: VPN Clients ( 192.168.10.19:4607) Destination: External ( 72.21.203.1:443) Protocol: HTTPS Here is error message I am getting from server that behind firewall. Denied Connection Phobos 8/10/2007 12:50:33 PMLog type: Firewall service Status: A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer. Rule: Source: Internal ( 192.168.20.15:3885) Destination: External ( 72.21.206.5:443) Protocol: HTTPS
Are you running Windows server 2003 service pack 2? Take a look at this ref. below. See item # 3 RSS issue when Windows Sever 2003 SP 2 is applied on server runing ISA.
Default Web Site Port: 8088 Microsoft SharePoint Admin: 2257 None of the uses 443 port
BTW: If you're running IIS on the ISA server, (which you should not be) you also need to change IIS to use another port # other than 443. ISA will not be able to bind to it if you don't.
Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
Thanks you guys for all your help.
Today I performed the following: 1. Uninstalled IIS a) I don't have no longer World Wide Web Publishing Service b) I don't have no longer IIS Admin Service c) FTP Publishing Service also not there d) HTTP SSL service still there but not running (Startup Type = Manual) After i remove IIS i restarted firewall server Open browser and tried to his https://www.amazon.com and https://www.yahoo.com no luck same problem I tried doing it on firewall server as well as internal server no luck too.
Then I downloaded ISA server 2004 Tunnel Port Editor (ISAtrpe) and it shows me the following tunnels 1. FMS2 Low (1935) High (1935) 2. MDaemon Low (3000) High (3000) 3. MDaemon Admin Low (1000) High (1000) 4. NNTP Low (563) High (563) 5. SSL Low (443) High (433) So far I see SSL port there
Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline
You should be able to get to both those websites without tunneling ports. By default ISA blocks all... Do you have a rule allowing HTTPS for your internal clients?
Posts: 17
Joined: 18.Nov.2006
From: West Palm Beach, FL
Status: offline
Thank you for your reply Yes I do.
Ok, I found what was wrong. Not sure how it happend but here it is: As you asked to check on my Access Rule for HTTPS requests. I went in and start checking my FROM traffic and TO traffic, PROTOCOLS tabs everything looks fine. Then I looked at PROTOCOLS TAB and I clicked on protocol name "HTTPS" and then "EDIT" button. On "PARAMETERS" tab I looked at Application Filters and "Web Proxy Filter" was selected. As soon as I deselected and commit my chanages. All HTTPS site become accesible for me.
Can you describe if this filter should be applied for HTTPS protocol (in my scenario I guess no) and if I need this filter set for HTTP protocol.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Can access HTTPS (SSL) sites from internal network 
Can access HTTPS (SSL) sites from internal network - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread