This is my first time using the ISAserver.org forums so please forgive me in advance if I'm not quite fully up to speed on all the known issues out there regarding ISA 2006.
We are having issues with SSL-tunnel traffic being denied by some of our proxy server rules. We are running ISA server 2006 1 nic interface facing internal and 1 facing extrnal just behind a firewall. Almost all of the workstations and servers involved with this issue have the latest firewall client installed and configured. When going to certain https websites for things such as provider hosted webmail or messaging built into legitimate business use websites the users are coming up with a HTTP 403 error that says "This error (HTTP 403 Forbidden) means that Internet Explorer was able to connect to the website, but it does not have permission to view the webpage." when ever they click on a link to that portion of the page after authenticating. When they are guided by support from the website directly to the url or server for the messaging/webmail they successfully get into the website. The monitor comes up with some of the following messages
Denied Connection Log type: Web Proxy (Forward) Status: 12209 The ISA server requires authorization to fulfill the request. Access to the Web Proxy filter is denied Rule: ********* (edited out for privacy reasons) Source: Internal (*.*.*.*) edited out for privacy reasons Destination: Extrernal (*.*.*.*) edited out for privacy reasons Request: *.(website domain).com:443 (again edited out for privacy reasons) Filter information: Req ID: 116863c5 Protocol: SSL-tunnel User: anonymous
and the following message
Denied Connection Log type: Web Proxy (Forward) Status: 995 The I/O operation has been aborted because of either a thread exit or an application request. Rule: ********* (edited out for privacy reasons) Source: Internal (*.*.*.*) edited out for privacy reasons Destination: Extrernal (*.*.*.*) edited out for privacy reasons Request: *.(website domain).com:443 (again edited out for privacy reasons) Filter information: Req ID: 116863c5 Protocol: SSL-tunnel User: (domain)\(user) edited for privacy reasons
Thanks for the reply tshinder, we actually just found the answer to our problem. We had both the webproxy information filled in with the proxy server information and the firewall client installed. When they tried to access a SSL site that was used for messaging and it redirected them it would appear as anonymous traffic instead of authenticed. To resolve the problem for the particular sites that were having the problem we set them up in Configuration - Networks Tab - Internal Connection Properties - Web Browser Tab - "Directly access these servers or domains". This resolved our issue. We contemplated removing the proxy setttings from IE to prevent the PCs from using the webproxy instead of the firewall client but it would require a lot of effort to resolve this issue across all of the networks transversing our proxy server.
Could you elaborate on why I would not want our servers to use the Firewall Clients? We have probably roughly 80+ servers we support which most of which have the firewall client and are opperating without issue as of this time. I'd like to know though if there is a major hangup we should be aware of though.
Thanks for you quick reply!
< Message edited by mblinde -- 22.Oct.2009 10:40:11 AM >
Firewall client is used to support complex protocols and user authentication. Since servers typically don't have logged on users, there's no reason to install the FWC on those machine. They also typically don't need outbound access to complex protocols. However, because it is an LSP, it could interfere with other network or name resolution functions, and have unintended functionality or security effects.
Unless you have a specific reason for putting the FWC on servers, I would remove it. However, it should be on all client machines.
It appears as though we are having much more SSL anonymous connections being denied then we thought before. Is there any advice you could possibly give? Do most people block anonymous SSL traffic?
Depends on the sites users are going to. In general, SSL can be security problem since the firewall can't inspect those messages (unless you're using TMG, which does perform outbound SSL inspection).
Hi, very nice post, for SSL certificate ,Domain , Host service i approach this http://www.xnynz.com/ site's service at very cheap rate ,here you may also try this site for your website , it provide best service with various free tools.All the best.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 General] >> General >> SSL-tunnel traffic denied 
SSL-tunnel traffic denied - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread