Access to https or SSL sites fail from ISA Server when used over ports other than 443 or 563 and you receive a message that this is not supported

Published on
19,285 Points
4 Endorsements
Last Modified:
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself.

To get to the cmd prompt, click on start - run and enter cmd in the run box.

In the cmd box, type in "cd \" without the quote marks followed by pressing the enter or return key.

Open a web browser and go to http://www.isatools.org then using the tabs along the middle, select the version of ISA or FTMG tools relevant to your installation.
Find and download the Tunnel Port Range Extender utility saving it to the c:\ folder of the ISA/FTMG box - this is the root of your c: drive. The file name will be isa_tpr.js.

The www.isatools.org site is hosted by Jim Harrison - a top-bloke within Microsoft's ISA and FTMG area and access to this file is by his kind permission.
Go back to your cmd prompt window and type the following: isa_tpr.js /? to get a list of commands & options.
I have provided an example to add TCP port 5100 to the list of ports that ISA will recognise as being authorised to carry HTTPS traffic.

 isa_tpr.js /add port5100 5100 5100

This example calls the isa_tpr script, tells it that I want to add a single port, that I want to name the new port description as 'port5100' and finally provides a start port and end port.

Once completed, stop and restart the ISA firewall service for the change to take effect. An access rule in the ISA/FTMG firewall policy that allows https traffic outbound will now succeed when the destination port is either 443 or 5100. Similarly, you can also add a range of ports in a single command; for example, to add ports 5101 - 5110, use the command line as follows:

isa_tpr.js /add moressl 5101 5110

Using the following will show you all of the ports that have been authorised for use through SSL/HTTPS:

isa_tpr.js /show

To delete an added port or port range from the allowed HTTPS list then the following should be followed:

isa_tpr.js /del port5100
The port name/range description is provided when you run the isa_tpr.js /show option. Again, restart the ISA firewall services to enforce the changes made.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free