• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ADCS HTTP connections between BOs fail

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Branch Office >> ADCS HTTP connections between BOs fail Page: [1]
Login
Message << Older Topic   Newer Topic >>
ADCS HTTP connections between BOs fail - 11.Jan.2010 6:35:05 PM   
JeffVandervoort

 

Posts: 142
Joined: 20.Nov.2004
Status: offline
ISA/RRAS site-to-site VPN. MO & 3 BOs have ISA 2006 EE, 2 BOs have RRAS without ISA.

MO has a WS2008 R2 ADCS; BOs have WS2003 Certificate Services.

In Enterprise PKI MMC, HTTP CRL/AIA verifies in both directions on sites whose endpoint is RRAS. But on sites with ISA endpoints, all HTTP CRL/AIA connections to BOs fail. LDAP succeeds. I've verified that the URLs work locally; they just don't work remotely, and only on the sites with ISA endpoints.

Access Rule for site-to-site connections is allow all for all users in both directions, and protocol filters are disabled.

I see no connections at all on the remote site's ISA logs. On the local machine's ISA logs, I see a timeout failure (see below).

One thing worth noting: It's the Web Proxy service that's logging the failure. The Web Browser tab on the Internal network properties on each ISA site includes *.domainname.local and the internal IP ranges of all other internal sites, so I don't understand why the connection is going through the proxy. Is that why it's failing?

Log entry follows below.







Failed Connection Attempt

 
[ISASERVERNAME] 01/11/2010 5:23:28 PM
 
Log type: Web Proxy (Forward)
 
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Rule: Allow all between Branch Offices

Source: Internal (MO-CAName.domainname.local 192.168.0.235:0)

Destination: BOSiteName (BO-CAName.domainname.local 10.1.0.223:80)
 
Request: GET http://10.1.0.223/CertEnroll/BO-CAName.domainname.local_BO-CAName.domainname.local.crt
 
Filter information: Req ID: 0d45b223; Compression:None

Protocol: http
 
User: anonymous


Additional information


Client agent:
Microsoft-CryptoAPI/6.1

Object source:
Internet Processing time: 20969

Cache info:
0x5 MIME type:
 
 
Post #: 1

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Branch Office >> ADCS HTTP connections between BOs fail Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts