Hello, I am brand new to ISA and have just (with significant help from a friend) set up my network. This is a home network (details below) with what I would consider a fairly simple configuration and for the most part works (I'm writing this from the network now). I appear to have a problem with https though. I am unable to connect to any sites using https. If I start the default query in ISA's monitor I see that https initiates the connection with result code 0x0 ERROR_SUCCESS but roughly 5 seconds later I get result code 0xC0040038 FWX_E_TCP_NO_SERVER_REPLY. There are also a slew of FWX_E_GRACEFUL_SHUTDOWN for various protocols but I assume these are information and not really indicative of a problem. Anyway, details that may help...
architecture: Cisco 678 DSL modem, in bridged mode - Qwest DSL service ISA box: - Win2K3 Enterprise - ISA 2006 Enterprise - Using PPPoE to authenticate to Qwest on outside NIC (currently receiving a DHCP addy but I'll be switching to static in the next couple days) - Inside NIC has a 10.0.x.x addy and no gateway or DNS info - DNS service is on with forwarding to Qwest's DNS servers - DHCP is on handing out 10.0.x.x addys internally NetGear RangeMax router inbound of the ISA box Vista machine physically wired to the NetGear switch with a 10.0.x.x addy and the ISA internal NIC as its gateway and DNS
ISA Firewall Policy (in order): - allow PPTP from external/internal to localhost (haven't tested this yet but eventually I want to VPN in, one thing at a time though) - allow DNS from internal/localhost to all networks - allow DHCP reply from localhost to all networks - allow DHCP request from internal to localhost - allow RDP from internal to localhost (remote to administer this box headless) - allow ping from internal and localhost to all networks - allow all outbound from internal and localhost to enternal and internal - deny all trafic from all networks to all networks
So, being completely new to this, where should i start my search? All help is appreciated. I'm not sure what additional details you need to assist me but I'm happy to provide them if you ask. Thanks!
I did not see a rule allowing access to http/https. Are you using webproxy or secureNAT?
Thank you for the suggestion Paulo. I added a rule specifically for HTTPS after my previous post thinking that maybe the outbound traffic rule wasn't sufficient but that didn't do it either. Since then I have decided to dump ISA altogether. I really wasn't using much from it (just masquerading and VPN) and it wasn't working anyway so I am now just using a hardware router that supports masquerading and PPTP passthrough and letting one of my workstations authenticate VPN clients. Much simpler setup as I don't need 10% of what ISA can do.
Yeah me too. I'm also facing the same problem. My environment is W2K 2008 R2, Forefront TMG 2010. Mine also working well on everything except https: Users get page request time out, when they try to access https website through Forefront. Meanwhile, they are using Auto Proxy setting at their browser. But its working well, when they put my forefront IP and ports in their browser proxy server address. I want to use my Forefront as transparent proxy server and can not use till now because of these error, WX_E_TCP_NO_SERVER_REPLY.
Its working well if I used TMG as NAT. The result I tested the connection from Traffic Simulator is shown as Allowed traffic, Traffic allowed by firewall policy rules may be blocked by Web or Application filters. I disabled the https inspection, and other http/https related application / web filter. but still face the problem.
Sometimes it working for a few seconds when I change some settings at Firewall policy and apply the changes.
Yeah, route is working well. That's why I can access any websites except https. For example, I can access to http://www.google.com. But I can't to https://www.google.com if I using TMG as my proxy. Its working well if I use TMG as my NAT and put the ISP provided proxy in my internet browser.
This has nothing to do, to allow or deny traffic. Tokyo did not receive a response from the server. You must check if the routing path is configured correctly...