Access to https or SSL sites fail from ISA Server when used over ports other than 443 or 563 and you receive a message that this is not supported

Keith AlabasterEnterprise Architect
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself.

To get to the cmd prompt, click on start - run and enter cmd in the run box.

In the cmd box, type in "cd \" without the quote marks followed by pressing the enter or return key.

Open a web browser and go to then using the tabs along the middle, select the version of ISA or FTMG tools relevant to your installation.
Find and download the Tunnel Port Range Extender utility saving it to the c:\ folder of the ISA/FTMG box - this is the root of your c: drive. The file name will be isa_tpr.js.

The site is hosted by Jim Harrison - a top-bloke within Microsoft's ISA and FTMG area and access to this file is by his kind permission.
Go back to your cmd prompt window and type the following: isa_tpr.js /? to get a list of commands & options.
I have provided an example to add TCP port 5100 to the list of ports that ISA will recognise as being authorised to carry HTTPS traffic.

 isa_tpr.js /add port5100 5100 5100

This example calls the isa_tpr script, tells it that I want to add a single port, that I want to name the new port description as 'port5100' and finally provides a start port and end port.

Once completed, stop and restart the ISA firewall service for the change to take effect. An access rule in the ISA/FTMG firewall policy that allows https traffic outbound will now succeed when the destination port is either 443 or 5100. Similarly, you can also add a range of ports in a single command; for example, to add ports 5101 - 5110, use the command line as follows:

isa_tpr.js /add moressl 5101 5110

Using the following will show you all of the ports that have been authorised for use through SSL/HTTPS:

isa_tpr.js /show

To delete an added port or port range from the allowed HTTPS list then the following should be followed:

isa_tpr.js /del port5100
The port name/range description is provided when you run the isa_tpr.js /show option. Again, restart the ISA firewall services to enforce the changes made.
Keith AlabasterEnterprise Architect

Comments (5)

Suliman Abu KharroubIT Consultant

Really nice. I will try it.

Thanks a lot!
Suliman Abu KharroubIT Consultant

i cant find ISA tunnel port rang extender listed under isa 2006 tab.

kindly advice.
Keith AlabasterEnterprise Architect
Top Expert 2008


In that version, Jim has called it the ISA Tunnel Port Tool
Kevin CrossChief Technology Officer
Most Valuable Expert 2011

Nice work, Keith!
ryan donaldwriter

It is good to see that the people are active in responding. Thank you for all the responses. I was trying to look up for it, and i found it here.
thanks again.
If anyone needs assistance in comepleting their written work can get in touch with me at do my master's essay for me.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.