[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Access to https or SSL sites fail from ISA Server when used over ports other than 443 or 563 and you receive a message that this is not supported

Published on
18,742 Points
4 Endorsements
Last Modified:
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself.

To get to the cmd prompt, click on start - run and enter cmd in the run box.

In the cmd box, type in "cd \" without the quote marks followed by pressing the enter or return key.

Open a web browser and go to http://www.isatools.org then using the tabs along the middle, select the version of ISA or FTMG tools relevant to your installation.
Find and download the Tunnel Port Range Extender utility saving it to the c:\ folder of the ISA/FTMG box - this is the root of your c: drive. The file name will be isa_tpr.js.

The www.isatools.org site is hosted by Jim Harrison - a top-bloke within Microsoft's ISA and FTMG area and access to this file is by his kind permission.
Go back to your cmd prompt window and type the following: isa_tpr.js /? to get a list of commands & options.
I have provided an example to add TCP port 5100 to the list of ports that ISA will recognise as being authorised to carry HTTPS traffic.

 isa_tpr.js /add port5100 5100 5100

This example calls the isa_tpr script, tells it that I want to add a single port, that I want to name the new port description as 'port5100' and finally provides a start port and end port.

Once completed, stop and restart the ISA firewall service for the change to take effect. An access rule in the ISA/FTMG firewall policy that allows https traffic outbound will now succeed when the destination port is either 443 or 5100. Similarly, you can also add a range of ports in a single command; for example, to add ports 5101 - 5110, use the command line as follows:

isa_tpr.js /add moressl 5101 5110

Using the following will show you all of the ports that have been authorised for use through SSL/HTTPS:

isa_tpr.js /show

To delete an added port or port range from the allowed HTTPS list then the following should be followed:

isa_tpr.js /del port5100
The port name/range description is provided when you run the isa_tpr.js /show option. Again, restart the ISA firewall services to enforce the changes made.
LVL 23

Expert Comment

by:Suliman Abu Kharroub
Really nice. I will try it.

Thanks a lot!
LVL 23

Expert Comment

by:Suliman Abu Kharroub
i cant find ISA tunnel port rang extender listed under isa 2006 tab.

kindly advice.
LVL 51

Author Comment

by:Keith Alabaster
In that version, Jim has called it the ISA Tunnel Port Tool
LVL 61

Expert Comment

by:Kevin Cross
Nice work, Keith!

Expert Comment

by:ryan donald
It is good to see that the people are active in responding. Thank you for all the responses. I was trying to look up for it, and i found it here.
thanks again.
If anyone needs assistance in comepleting their written work can get in touch with me at do my master's essay for me.

Featured Post

CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Join & Write a Comment

Watch this online video tutorial and learn the best way to reduce Outlook mailbox size using Compact Now feature of Outlook. It removes the deletes item's space from Microsoft Outlook 2016, 2013, and 2010 and compresses the PST file size. This will …
If you, like me, have a dislike for using Online Subscription anti-spam services, then this video series is for you. I have an inherent dislike of leaving decisions such as what is and what isn't spamming to other people or services for me and insis…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month