• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Custom SSL port in ISA.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Custom SSL port in ISA. Page: [1]
Login
Message << Older Topic   Newer Topic >>
Custom SSL port in ISA. - 27.Apr.2009 6:43:04 PM   
jdmils

 

Posts: 94
Joined: 25.Jan.2006
Status: offline
I have a request from a user to allow access to the web site:

http://www.oceancentrehotel.com.au/

Which is OK so far. But when the user clicks the "Check Rates" button, they are redirected to:

https://reservations.oceancentrehotel.com.au:7002/listRoomTypes.do?action=Select&propertyCode=AUS099&inDate=04/29/2009&outDate=04/30/2009&adults=1&children=0&rooms=1&cid=102208000212

As you can see, it tries to connect SSL to port 7002, resulting in this error msg:

Error Code: 502 Proxy Error. The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. (12204)

I then went to "http://www.isaserver.org/articles/2004tunnelportrange.html" and using the "isa_tpr.js" util, created the SSL port 7002 but it does not work. Now, when I try to access the SSL address above, I get the error:

Error Code: 504 Proxy Timeout. The connection timed out. (10060)

When I rerun the "isa_tpr.js" util, I get:

* This is your current Tunnel Port Range list:
* HTTPS_Custom (single port): 7002
* NNTP (single port): 563
* SSL (single port): 443

So it seems to have worked, however, I can NOT see this custom protocol in the ISA gui. What can I do next?

ISA Server 2006 on Windows 2003 Server.

_____________________________

|
+-- JDMils
|
+-- Windows 2003 Server DC
+-- Windows 2003 Server hosting ISA 2006 Stnd SP2
|
Post #: 1
RE: Custom SSL port in ISA. - 27.Apr.2009 6:51:16 PM   
jdmils

 

Posts: 94
Joined: 25.Jan.2006
Status: offline
Here are the error logs:

Original Client IP    Client Agent    Authenticated Client    Service    Server Name    Referring Server    Destination Host Name    Transport    MIME Type    Object Source    Source Proxy    Destination Proxy    Bidirectional    Client Host Name    Filter Information    Network Interface    Raw IP Header    Raw Payload    GMT Log Time    Source Port    Processing Time    Bytes Sent    Bytes Received    Result Code    HTTP Status Code    Cache Information    Error Information    Log Record Type    Authentication Server    Log Time    Destination IP    Destination Port    Protocol    Action    Rule    Client IP    Client Username    Source Network    Destination Network    HTTP Method    URL
0.0.0.0    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322)    Yes    Proxy    CLA-ISA        reservations.oceancentrehotel.com.au    TCP        Internet    -    -        -    Req ID: 0fcb6892; Compression: client=No, server=No, compress rate=0% decompress rate=0%    -    -    -    27/04/2009 10:48:42 PM    0    0    851    0        10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.     0x0    0x40    Web Proxy Filter        28/04/2009 8:48:42 AM    121.213.253.182    7002    SSL-tunnel    Failed Connection Attempt    HTTP/HTTPS Users Group    10.3.17.241    SCL\jmilano    Internal    External        reservations.oceancentrehotel.com.au:7002

Details:

Failed Connection Attempt CLA-ISA 28/04/2009 8:48:42 AM Log type: Web Proxy (Forward)
Status:
10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule:
HTTP/HTTPS Users Group
Source:
Internal (10.3.17.241)
Destination:
External (121.213.253.182:7002)
Request:
reservations.oceancentrehotel.com.au:7002
Filter information:
Req ID: 0fcb6892; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol:
SSL-tunnel
User:
SCL\jmilano Additional information
Client agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322)
Object source:
Internet (Source is the Internet. Object was added to the cache.)
Cache info:
0x0
Processing time:
0 ms
MIME type:


Thanks for helping!

< Message edited by jdmils -- 27.Apr.2009 6:52:34 PM >


_____________________________

|
+-- JDMils
|
+-- Windows 2003 Server DC
+-- Windows 2003 Server hosting ISA 2006 Stnd SP2
|

(in reply to jdmils)
Post #: 2
RE: Custom SSL port in ISA. - 28.Apr.2009 6:32:44 AM   
mahmovic

 

Posts: 11
Joined: 6.May2008
Status: offline
Try using MS FW Client...

Regards....

(in reply to jdmils)
Post #: 3
RE: Custom SSL port in ISA. - 28.Apr.2009 1:11:04 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

have you allowed the 7002 port on ISA firewall access rules?

Regards,
Paulo Oliveira.

(in reply to mahmovic)
Post #: 4
RE: Custom SSL port in ISA. - 29.Apr.2009 12:53:43 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
If your clients are web proxy clients, all that should be required is to configure the SSL tunnel port on the ISA firewall using the script as you have done.  If your clients are SecureNAT clients you will need to create a custom protocol for TCP port 7002 and add that to your access rule.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to jdmils)
Post #: 5
RE: Custom SSL port in ISA. - 3.May2009 11:23:16 PM   
jdmils

 

Posts: 94
Joined: 25.Jan.2006
Status: offline
Thanks guys. I created the custom protocol using the script then I created a custom protocol call "HTTPS_Custom" and set port 7002 as an outbound TCP port.

I get this error:

Network Access Message: The page cannot be displayed
Technical Information (for Support personnel)
    Error Code: 504 Proxy Timeout. The connection timed out. (10060) IP Address: 121.213.253.182 Date: 5/4/2009 3:04:39 AM [GMT] Server: cla-isa.scl.signet.com.au Source: proxy
Something is definately wrong somewhere. Is there anyway to check where I have gone wrong in my setup?

_____________________________

|
+-- JDMils
|
+-- Windows 2003 Server DC
+-- Windows 2003 Server hosting ISA 2006 Stnd SP2
|

(in reply to richardhicks)
Post #: 6
RE: Custom SSL port in ISA. - 4.May2009 1:25:27 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
You gotta run the "ISA Tunnel Port Tool" provided on below website
http://isatools.org/tools.asp?Context=ISA2006



_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to jdmils)
Post #: 7
RE: Custom SSL port in ISA. - 4.May2009 8:41:26 PM   
jdmils

 

Posts: 94
Joined: 25.Jan.2006
Status: offline
I did! See my first post.

_____________________________

|
+-- JDMils
|
+-- Windows 2003 Server DC
+-- Windows 2003 Server hosting ISA 2006 Stnd SP2
|

(in reply to inderjeet)
Post #: 8
RE: Custom SSL port in ISA. - 5.May2009 9:39:24 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
I can try to help you. can you run the ISABPA in repro mode?


1. Install the Network Monitor 3.2 on client machine and on the ISA Server
2. Install ISABPA on the ISA Server as mentioned below
3. Start the ISABPA on ISA as mentioned below
4. Start Network Monitor on Client machine
5. Test the connectivity
6. Stop the Network Monitor on client and save the logs as .CAP file
7. Stop ISABPA and it will save the file automatically on your desktop as isapackage.cab
8. Send me the logs at isaissues@yahoo.com or you may upload it on rapidshare or megashare and send me the link in email. Dont paste it here

ISA BPA can be downloaded and installed from the following location:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d22ec2b9-4cd3-4bb6-91ec-0829e5f84063&DisplayLang=en

After installing this please run the ISA Data Packager from the Start, Programs, ISA Server, ISA Tools menu Select the ‘Collect data from one of the following repro scenarios’ radio button and select the ‘Basic Repro and Static Configuration’ option, select ‘Next’ and then ‘Start Data Collection’.

When the ISA Data Packager has initialized the various data captures you will be asked to press the Spacebar to start capturing data. This is going to capture a number of data outputs from a repro of the issue (Network traces, ISA tracing output, ISA logs) so before running this and pressing the spacebar please get set-up to repro the issue.

When you are ready to repro the issue press the spacebar, repro the issue and then press the spacebar again to stop the captures. If you can try to keep this the time you are capturing quite short that will help our analysis of the data.

The BPA will also gather config data from the ISA server that will help us understand your set-up and will output all the data captures to a file on the desktop called isapackage.cab.



_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to jdmils)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Custom SSL port in ISA. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts