Custom SSL port in ISA. (Full Version)

All Forums >> [ISA 2006 Firewall] >> General



Message


jdmils -> Custom SSL port in ISA. (27.Apr.2009 6:43:04 PM)

I have a request from a user to allow access to the web site:

http://www.oceancentrehotel.com.au/

Which is OK so far. But when the user clicks the "Check Rates" button, they are redirected to:

https://reservations.oceancentrehotel.com.au:7002/listRoomTypes.do?action=Select&propertyCode=AUS099&inDate=04/29/2009&outDate=04/30/2009&adults=1&children=0&rooms=1&cid=102208000212

As you can see, it tries to connect SSL to port 7002, resulting in this error msg:

Error Code: 502 Proxy Error. The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. (12204)

I then went to "http://www.isaserver.org/articles/2004tunnelportrange.html" and using the "isa_tpr.js" util, created the SSL port 7002 but it does not work. Now, when I try to access the SSL address above, I get the error:

Error Code: 504 Proxy Timeout. The connection timed out. (10060)

When I rerun the "isa_tpr.js" util, I get:

* This is your current Tunnel Port Range list:
* HTTPS_Custom (single port): 7002
* NNTP (single port): 563
* SSL (single port): 443

So it seems to have worked, however, I can NOT see this custom protocol in the ISA gui. What can I do next?

ISA Server 2006 on Windows 2003 Server.




jdmils -> RE: Custom SSL port in ISA. (27.Apr.2009 6:51:16 PM)

Here are the error logs:

Original Client IP    Client Agent    Authenticated Client    Service    Server Name    Referring Server    Destination Host Name    Transport    MIME Type    Object Source    Source Proxy    Destination Proxy    Bidirectional    Client Host Name    Filter Information    Network Interface    Raw IP Header    Raw Payload    GMT Log Time    Source Port    Processing Time    Bytes Sent    Bytes Received    Result Code    HTTP Status Code    Cache Information    Error Information    Log Record Type    Authentication Server    Log Time    Destination IP    Destination Port    Protocol    Action    Rule    Client IP    Client Username    Source Network    Destination Network    HTTP Method    URL
0.0.0.0    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322)    Yes    Proxy    CLA-ISA        reservations.oceancentrehotel.com.au    TCP        Internet    -    -        -    Req ID: 0fcb6892; Compression: client=No, server=No, compress rate=0% decompress rate=0%    -    -    -    27/04/2009 10:48:42 PM    0    0    851    0        10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.     0x0    0x40    Web Proxy Filter        28/04/2009 8:48:42 AM    121.213.253.182    7002    SSL-tunnel    Failed Connection Attempt    HTTP/HTTPS Users Group    10.3.17.241    SCL\jmilano    Internal    External        reservations.oceancentrehotel.com.au:7002

Details:

Failed Connection Attempt CLA-ISA 28/04/2009 8:48:42 AM Log type: Web Proxy (Forward)
Status:
10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule:
HTTP/HTTPS Users Group
Source:
Internal (10.3.17.241)
Destination:
External (121.213.253.182:7002)
Request:
reservations.oceancentrehotel.com.au:7002
Filter information:
Req ID: 0fcb6892; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol:
SSL-tunnel
User:
SCL\jmilano [image]http://forums.isaserver.org/_image/general/minusImg.gif[/image] Additional information
Client agent:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322)
Object source:
Internet (Source is the Internet. Object was added to the cache.)
Cache info:
0x0
Processing time:
0 ms
MIME type:


Thanks for helping!




mahmovic -> RE: Custom SSL port in ISA. (28.Apr.2009 6:32:44 AM)

Try using MS FW Client...

Regards....




paulo.oliveira -> RE: Custom SSL port in ISA. (28.Apr.2009 1:11:04 PM)

Hi,

have you allowed the 7002 port on ISA firewall access rules?

Regards,
Paulo Oliveira.




richardhicks -> RE: Custom SSL port in ISA. (29.Apr.2009 12:53:43 PM)

If your clients are web proxy clients, all that should be required is to configure the SSL tunnel port on the ISA firewall using the script as you have done.  If your clients are SecureNAT clients you will need to create a custom protocol for TCP port 7002 and add that to your access rule.




jdmils -> RE: Custom SSL port in ISA. (3.May2009 11:23:16 PM)

Thanks guys. I created the custom protocol using the script then I created a custom protocol call "HTTPS_Custom" and set port 7002 as an outbound TCP port.

I get this error:

Network Access Message: The page cannot be displayed
Technical Information (for Support personnel)
    Error Code: 504 Proxy Timeout. The connection timed out. (10060) IP Address: 121.213.253.182 Date: 5/4/2009 3:04:39 AM [GMT] Server: cla-isa.scl.signet.com.au Source: proxy
Something is definately wrong somewhere. Is there anyway to check where I have gone wrong in my setup?




inderjeet -> RE: Custom SSL port in ISA. (4.May2009 1:25:27 PM)

You gotta run the "ISA Tunnel Port Tool" provided on below website
http://isatools.org/tools.asp?Context=ISA2006





jdmils -> RE: Custom SSL port in ISA. (4.May2009 8:41:26 PM)

I did! See my first post.




inderjeet -> RE: Custom SSL port in ISA. (5.May2009 9:39:24 AM)

I can try to help you. can you run the ISABPA in repro mode?


1. Install the Network Monitor 3.2 on client machine and on the ISA Server
2. Install ISABPA on the ISA Server as mentioned below
3. Start the ISABPA on ISA as mentioned below
4. Start Network Monitor on Client machine
5. Test the connectivity
6. Stop the Network Monitor on client and save the logs as .CAP file
7. Stop ISABPA and it will save the file automatically on your desktop as isapackage.cab
8. Send me the logs at isaissues@yahoo.com or you may upload it on rapidshare or megashare and send me the link in email. Dont paste it here

ISA BPA can be downloaded and installed from the following location:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d22ec2b9-4cd3-4bb6-91ec-0829e5f84063&DisplayLang=en

After installing this please run the ISA Data Packager from the Start, Programs, ISA Server, ISA Tools menu Select the ‘Collect data from one of the following repro scenarios’ radio button and select the ‘Basic Repro and Static Configuration’ option, select ‘Next’ and then ‘Start Data Collection’.

When the ISA Data Packager has initialized the various data captures you will be asked to press the Spacebar to start capturing data. This is going to capture a number of data outputs from a repro of the issue (Network traces, ISA tracing output, ISA logs) so before running this and pressing the spacebar please get set-up to repro the issue.

When you are ready to repro the issue press the spacebar, repro the issue and then press the spacebar again to stop the captures. If you can try to keep this the time you are capturing quite short that will help our analysis of the data.

The BPA will also gather config data from the ISA server that will help us understand your set-up and will output all the data captures to a file on the desktop called isapackage.cab.





Page: [1]