Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 629
  • Last Modified:

Having a problem using https through isa 2004 sp2 setup with single nic

OS - windows 2003 r2  ISA 2004 sp2

We are setting up a ISA server in proxy mode so that http and https are proxied through the isa server. We can get it to work with http or https as long as the browser is set to use port 80 for everything but we have an issue with https over vpn connection (Checkpoint) if we leave it like that. I was able to setup our old proxy server (isa 2000) so that it accepts requests over port 443 and turns around and sends it out via 443 to the particular website. We configured the browsers to use 443 for ssl requests and everything is working fine on it.
We want to configure the same for the new server but it doesn't forward the https request through it. In the ISA firewall log it shows that it initiates the connection from the client to the isa server but thats it.  We do not see a https from the isa server out while monitoring the server using netmon.
Thanks for your help
0
ColoradoPERA
Asked:
ColoradoPERA
  • 6
  • 5
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
Are you using the ISA firewall client? If so, have you removed the old client and installed the new one?
If not the ISA clients, are you using SecureNAT, just Web Proxy settings or both?
What rule(s) have you set up for the outgoing traffic?
0
 
ColoradoPERAAuthor Commented:
We are not using the ISA firewall client, we are not using secureNAT just Web proxy settings.
Network rules
Default - Local host routes to All networks
Default VPN - VPN to internal
Default Internal Access - Internal, Quarantined VPN, vpn NAT'd to External

Firewall Policy
From internal/local host allow http and https to internal
Last Default Rule
internal = 0.0.0.1 - 126.255.255.255 and 128.0.0.0 - 255.255.255.254
 (just followed microsoft's document Configuring ISA Server 2004 on a Computer with a Single Network Adapter)
0
 
Keith AlabasterEnterprise ArchitectCommented:
OK, So Proxy only mode.

If you start the isa gui, select monitoring - logging - click on start query, what do you see in the ISA log?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
ColoradoPERAAuthor Commented:
When the client browser is trying to contact an https site (https://www.wellsfargo.com) the only entry in the log for this client is
Destination = proxy server ip address Destination port = 443 Protocol = HTTPS Action = Initiated Connection Rule = (blank) Client IP = Client's ip address
Source Network = Internal Destination Network = Local host HTTP Method = (blank) URL = (blank)
 
Every few minutes after this the log has a Closed connection entry then right after it an Initiated connection (both with same info from above).  The clients browser will continue to try to connect to this sight never timing out.
0
 
Keith AlabasterEnterprise ArchitectCommented:
And if you bypass ISA (turn off the proxy settings in Internet explorer) and retry, this all works OK?
0
 
ColoradoPERAAuthor Commented:
Yes if the client is be allowed through the main firewall (checkpoint) then the client would be able to get out directly but we do not allow typical users http or https directly going out.  The isa server is allowed direct access through the main firewall.
0
 
Keith AlabasterEnterprise ArchitectCommented:
OK Thanks for the info.
last questions. If you perform the same web page request from ISA itself, does it work? (with and without ISA's IE browser proxy set to itself and switched off).

I get four entries in my ISA log going to this site running from ISA itself and with IE on the server set to use itself as the proxy.
The first two are https calls to the wells fargo. The initiation and the teardown (both outbound)
The third is the ssl-tunnel creation as an anonymous user
the fourth is another https call and this one displays the page complete with login section.
0
 
ColoradoPERAAuthor Commented:
ISA without proxy setting for IE can browse https sites.

ISA with proxy settings (SSL proxy set to port 443) has the same issue as the client does.
0
 
ColoradoPERAAuthor Commented:
To get HTTPS to work over VPN we set the ISA server to accept all proxy traffic over port 443 and set the browser to send all traffic over port 443.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Nice work. Post a question in the community support section to get your points refunded. I have not spent nearly enough time on your call.

Regards
keith
0
 
Keith AlabasterEnterprise ArchitectCommented:
This is fine Granmod. The asker has done a good job.

Regards
keith
0
 
GranModCommented:
PAQ-ing the question and refunding 500 points

Thanks for your kind words keith !

GranMod
The Experts Exchange
Community Support Moderator of all Ages
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now