Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I've narrowed it down to the firewall client. I installed a test ISA 2004 server and put on the same windows updates, third party software, and same services.
My client can connect through this new server, but not the live server. If I set my firewall client to use the test server, it works. The web proxy client does not seem to matter where it is directed. 100% of the time, if the firewall client is directed to go through my live server, SSL error 5 occurs. ISA 2000 also works.
Any ideas on what could be wrong with the firewall client on my ISA 2004 server??
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Now I'm not so sure its the firewall client.
If I don't have a firewall client enabled, I get an error stating there is no route to the specified subnet. If I enable the firewall client to the live server, I get the error no third party ssl provider error 5.
I disabled the firewall client and put route statements on my client that specified the remote ip address and gateway of ISA. I get the same third party ssl provider error 5 even with the firewall client disabled.
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I ran the Enable, TestAutodetect and EnableBrowserAutoconfig, with no errors. When being redirected to an SSL site today, I had a blank page returned when I had the Automatically Detect ISA server and Use Autoconfig Routing Script settings enalbed in IE. When I disabled them, the page came up fine. This does not always happen. I tried it now with the settings enabled and it worked fine.
I have also had users recently report that they are intermittently prompted for logins to ISA even though they are not using an application on the internet. This is new since starting troubleshooting the access to bryanlgh.org. The only thing I can think that has changed is setting direct access on the Web Browser in ISA to include 172.16.0.0 - 172.16.255.255 and 127.0.0.0 to 127.0.0.255. Before I just specified my domain name.
Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I've given up for now and am allowing about a dozen users who need access to the site to go through my old ISA 2000 server. If anyone happens upon this thread and has any suggestions on how to get to the site on ISA 2004, it would be appreciated. Thanks.
Hi, Was this resolved? I have same issue with Citrix Metaframe connection. When the user launch an application, the ISA 2004 shows either error 1460 or 995.
We contacted Citrix support, and they said some clients have trouble and some don't. I cannot get any details out of them. It seems to me some people made it working. Just wonder if anyone could share it.
Thanks gguitugua for the information. I have thought about this also. However, the traffic I monitored was on port 443. The Citrix people also told me that it was on port 443.
Posts: 144
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
Hi,
I have exactly the same problem with ISA Server 2004 Enterprise Edition. In my case, we use two array members, wich are behind a CheckPoint firewall. I'm not sure if this problem started since SP2 and the HTTP filter update. I'm sure we didn't have it before.
Almost any request regarding SSL-tunnel report "Failed Connection Attempt", even some 8080 connections.
Through the logging on the CheckPoint firewall we can see that all packets pass through the CheckPoint.
Posts: 144
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
Hi,
Did you find the solution for this problem? I have exactly the same problem. Everything seems to work fine, but I have a bad feeling about it. Hope to hear from you.
Long time since I visited these forums , must have been what... 2 years or so...? Still remember the good old ISA 2004 standard edition beta's :) Ok.. enough chitchat :) The solution... is simple :
SSL errors almost always relate to going out 1 way , and coming back another way, hence not completing the handshake. In normal words : you probably have a different default gateway than your proxy server.
So, how do you solve this ? Go to a command prompt on the CLIENT PC :
route ADD <IP OF SSL SITE> MASK 255.255.255.255 <IP OF ISA SERVER> -p
could you post the monitoring session of relevant data ? Does anything come back from the host you're trying to reach ? can you confirm that all traffic is coming from the client ? Or is some of the traffic coming from the ISA server ?
I've recently started encountering this same issue. ISA2004 is my network default gateway and is setup to publish automatic discovery information via default port 80, DNS has a WPAD Cname entry pointing to ISA's FQDN, and DNS has a host record for ISA. Users are SNAT and unable to access many SSL sites but a site in particular is our own OWA server, internally. The request times out in all cases. Monitoring shows failed connection attempt, error 995, to many external IP addresses. One external IP I was able to confirm is verisign. Doesn't matter if the browser is set to automatic detect or not, the SSL request still times out. The only way to get it to work is to actually configure the browser to use a proxy server as 10.x.x.x / port 8080.
Something odd that I don't understand is the information provided by MS regarding publishig automatic discovery information in ISA usgin DNS http://www.microsoft.com/technet/isa/2004/plan/automaticdiscovery.mspx. According to MS, ISA publishes on 8080 by default but to publish via DNS you must use 80... the Auto Discovery tab on the properties of the internal network default is 80. From a client I can go to http ://myisaserver/wpad where I'm prompted to save the file. I save the WPAD file and open it with notepad to find "HttpPort="8080"". So which is it??? 80 or 8080 and where is it configured?
Randy near Houston, TX
< Message edited by randy_ray -- 6.Feb.2007 7:03:36 PM >