Firewall denying port 443 traffic (Full Version)

All Forums >> [ISA Server 2004 Misc.] >> ISA Server 2004 Events



Message

lcsgeek -> Firewall denying port 443 traffic (18.Jun.2008 3:11:30 PM)

I've written an access rule with the following:

Allow
All Outbound Traffic
From: my own custom list of private IPs
To: External and Perimeter
Condition: All Users

This rule is the first one on my Polcy listing.

I have a user who's IP address is in the 'From' field and she is running a POS application which tries to authorize credit cards via g1.merchantlink.com:443.  However while doing a monitor I keep getting this denial (see: http://www.lenawee.org/isaError.jpg ).  Any one of my users (even those outside the Unrestricted Rule mentioned above) can visit https websites.  It seems to me that this application shouldn't be treated any different than a regualr SSL connection.

One other note: I am requiring user authentication on the Private Network interface.  Furhtermore I have the firewall client installed on the POS computer.  My understanding is that the firewall client should take care of all authentication issues between the workstations on the LAN and their corsponding ISA Network interface.

I'm open to all suggestions.

Thanks
Darin



tshinder -> RE: Firewall denying port 443 traffic (23.Jun.2008 8:18:00 AM)

What is the source and destination address that is being denied?

Tom



lcsgeek -> RE: Firewall denying port 443 traffic (23.Jun.2008 8:49:09 AM)

The source IP is 10.0.0.221 and the destination IP is whatever g1.merchantlink.com resolves to.  Like I stated before this particular private IP is hardcoded into the From field of the policy.



tshinder -> RE: Firewall denying port 443 traffic (23.Jun.2008 9:57:49 AM)

Is 10.0.0.1 the ISA firewall?

Tom



lcsgeek -> RE: Firewall denying port 443 traffic (23.Jun.2008 11:49:52 AM)

Sorry I dind't give you that piece of info before but yes it is.

Something I've just tried:
I unchecked "Require all users to authenticate" and now the app works.

I had this checkbox checked to mandate an AD account in order to browse.  Plus I want to log where our students are visiting.



tshinder -> RE: Firewall denying port 443 traffic (24.Jun.2008 9:31:08 AM)

OK, that makes sense. If the app can't be configured with Web Proxy settings, then auth may fail.

You can configure a rule that allows users to reach that site anonymously.

HTH,
Tom



lcsgeek -> RE: Firewall denying port 443 traffic (24.Jun.2008 2:31:19 PM)

quote:

You can configure a rule that allows users to reach that site anonymously.

Please describe.



tshinder -> RE: Firewall denying port 443 traffic (25.Jun.2008 11:18:18 AM)

Create a rule that allows access to the site that the app needs to get to. Allow access on the rule for "All Users".

HTH,
Tom



lcsgeek -> RE: Firewall denying port 443 traffic (26.Jun.2008 1:18:47 PM)

Very well, I think I was over complicating things.

Thank you Tom, I really appreciate the time and effort you put into helping all of us.  I have no idea what motivates you.



tshinder -> RE: Firewall denying port 443 traffic (27.Jun.2008 8:57:22 AM)

Hi LCS,

I do this for fun! I also learn a lot from the issues that others have with the ISA firewall, so you and others are doing me a great service!

Good to hear you got things working and thanks for the follow up!

Tom



Page: [1]