Welcome to ISAserver.org

Internal SSL port 8443

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> Internal SSL port 8443

Page: [1]

Message

<< Older Topic Newer Topic >>

Internal SSL port 8443 - 31.Jul.2008 2:23:20 PM

ChrisTR

Posts: 2
Joined: 30.Jul.2008
Status: offline

OK, I have an issue with ISA 2006 and an internal web server on a non-standard port.

We have a web server with an OEM supplied application that runs a Tomcat web service and requires internal clients to connect via https and port 8443. This is all internal private IP addresses, and doesn't leave the local segment. Using the ISA2006 as a proxy server, (clients are config'd to use the proxy server via IE settings), attempting to go to this site yields an error message:
Error Code: 502 Proxy Error. The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. (12204)

I tried a Firewall Policy rule to Allow Internal to Internal on all HTTP and HTTPS traffic, and a rule to Allow Selected Protocol (HTTPS) from All Netowrks to Internal. No effect.

I've read up on extending the tunnel range using the Tunnel Range Editor (http://forums.isaserver.org/m_2002068112/mpage_1/tm.htm) and have downloaded, installed and run the ISAtrpe GUI editor. I added a port range from 8443 to 8443 to the GUI interface, and it shows up. Have restarted the ISA service and even rebooted. I cannot get to the server via port 8443. If I check the box on the IE client "Bypass proxy server for local addresses", then I can get there. Obviously, I have a work arround, but, I'd like to understand what's configured wrong and if there's a configuration work arround instead.

Any help/insight would be greatly appreciated.

Thanks,
Chris

Windows Server 2003 SP2
ISA 2006 SP1
Single NIC - Edge mode
Proxy and web cache only
Private IP address range

Post #: 1

Featured Links*

RE: Internal SSL port 8443 - 1.Aug.2008 7:47:48 AM

gbarnas

Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline

You don't have a work-around, you have a proper, working solution. ISA generally is not used to access internal sites, so clicking the "Bypass Proxy for Internal Sites" is the correct thing to do. If you publish WPAD for auto-configuration, you can define a similar setting there and have it handed out to all workstations.

Glenn

(in reply to ChrisTR)

Post #: 2

RE: Internal SSL port 8443 - 1.Aug.2008 7:44:01 PM

ChrisTR

Posts: 2
Joined: 30.Jul.2008
Status: offline

gbarnas, thanks for the reply. Guess I hadn't thought of it that way. So, with the "bypass proxy for internal sites" checked, I can ditch the 2 non-working "SSL rules" I set up earlier also.

I'll give that a whirl. Thanks for the help.

(in reply to gbarnas)

Post #: 3

RE: Internal SSL port 8443 - 5.Aug.2008 10:24:41 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Make sure Internal sites are configured for Direct Access and that Web Proxy clients use the autoconfig script to get the Direct Access list.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ChrisTR)

Post #: 4

RE: Internal SSL port 8443 - 6.Aug.2008 8:28:20 AM

Budmaas

Posts: 90
Joined: 7.Oct.2007
Status: offline

http://www.isaserver.org/articles/2004tunnelportrange.html

check this above link

(in reply to tshinder)

Post #: 5

RE: Internal SSL port 8443 - 29.Apr.2009 3:37:38 AM

gazy007

Posts: 43
Joined: 29.Aug.2008
Status: offline

On isa server 2006 you can just make a new common protocol and allow only 8443 TCP out bound port and add it with Access rule the users are trying to access. I have just tested and it worked fine.

(in reply to Budmaas)

Post #: 6