[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ISA Server 2004

Posted on 2006-04-25
16
Medium Priority
?
541 Views
Last Modified: 2013-11-16
Helo

I'm a newbie with the ISA....having fun with it so far.......Having a small issue with SSL-Tunnel.( I am trying to connect to a device on the internal network https://ip address:10000 this a 3rd sparty spam filter that requires you to use https and port 10000 to get to the admin interface. If I have the proxy address of the pc pointing to the ISA server. I get the error 502 Proxy error. I know the default port for ssl is 443. I can get to banking sites and other secure sites fine. Is there a way to configure this with out extending the port ranges of SSL?? Is there a down side to extending the ssl ports??? Any info is appreciated

0
Comment
Question by:TimMcGrath
  • 8
  • 8
16 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16541315
Sounds like you are using Proofpoint.

Yes, you need to extend the ssl ports that isa uses or you can use the MS method
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/client_ssl.mspx?pf=true

extend ports
http://www.isaserver.org/articles/2004tunnelportrange.html


0
 

Author Comment

by:TimMcGrath
ID: 16542976
Keith,

Thanks for the reply. Yes I am using proofpoint. Is this common with using proofpoint (extending the range) The weird thing is, if I take out the proxy settings on the management pc it will make the connection, sometimes..??? other times it does not? Is there any down side to extending the port range?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16543293
Two options. (I know as we use Proofpoint as well).

1. Put the IP addresses of your Proofpoint devices into the Exceptions area within the IE browser Proxy section so that these bypass ISA.
--- or ---
2. Extend the range of SSL ports that ISA will forward from the default on port 443 only.

We use option 1.

Regards

Keith
ISA MCT
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:TimMcGrath
ID: 16543637
Keith,

I tried putting the ip address in the exception range, that is how I had it setup orginally, again it would connect at times and other times it would not. The connection to the proofpoint box is fine. I have ran a continous ping, and everything looks fine. I have tried removing the proxy settings all together, it will connect once and then if you try to get back in you get page cannot be displayed. Could it be an issue with the cert?

Could you explain part 2? Should I add a new range that contains the port for proofpoint
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 600 total points
ID: 16547000
OK. By default, isa forwards any https traffic on port 443 regardless of the port you may specify in the browser. You need ISA to forward on port 10000 (for normal admin connectivity) and port 10010 (to connect to the Proofpoint Console to administer the Proofpoint operating system etc)

So, in effect, you now need to set the portrange from 443 - 10010

You the link above for the walkthrough.

For us the exclusion works all the time. The one issue we had with the proofpoint (we have 2 x P800 appliances) was the return routes had not been set up correctly so sometimes we could not get a connection at all however, it was never intermittent.
0
 

Author Comment

by:TimMcGrath
ID: 16561285
Keith,

I extended the port range, and it seemed to connect. While goinig though different options with in the proofpoint mgmt console I got a 502 proxy error Connection refused. If I close ie and re-open (several times) it will re-issue the cert and allow me back in????? I am going to run the monitor and will post my results.

Thanks again for the help
0
 

Author Comment

by:TimMcGrath
ID: 16561420
Keith,

Ok....seems the connection is working alot better, I spent the last 30 minutes browsing around in proofpoint with no problems. Got out and tried to get back in and got the same error. Waited a few seconds and re-opend it, and it let me in. In the logs it displays SSL ALLOWED Connection, every few times it is followed by a failed connection. Any ideas?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16564434
Check the nic interfaces are both running at 100Mb full duplex (ISA external and proofpoint). I think proofpoint is auto by default but can't remember. I'm at home now so can't check. The fact it now connects correctly will limit the changes you will want to make on the ISA end but we can review that next week.
0
 

Author Comment

by:TimMcGrath
ID: 16564577
Soounds good,

I will check both and get back to you by next week...Thnks for the help!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16564753
:) Have a good weekend
0
 

Author Comment

by:TimMcGrath
ID: 16564862
you do the same
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16609790
How did it go Tim?
0
 

Author Comment

by:TimMcGrath
ID: 16609903
Keith,
Sorry I didn't get back to you, been a crazy week...and weekend! I changed the port range, and was still having the same problem! Over the weekend I did some more testing. Ready for this one....Our Mint dept has these old crazy coaxle routers. Someone in Maint decided they would plug one in. This thing happened to have the same ip address as the proofpoint server!!!!! So after I hunted this thing down and pulled the plug on it....things were working great!!! This guy found this thing in an old closet and decided to play with it. These things were taken out of our district way before my time. How he found or better yet why he plugged it in is beyond me!!!
Thanks for all your help. Love the proofpoint box, does an excellent job.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16612262
I'm staggered but really pleased. Nice work Sherlock, well done.

I would not have picked up on coaxial routers I have to say :)

Regards
Keith
0
 

Author Comment

by:TimMcGrath
ID: 16613122
I was not a happy camper about the situation! Lot of time scratching my head and going through docs that were about 8 years old....previous admin had things all over the place, no network diagrams of any sort, and documentation that was all over the place! I shut the box off and was still able to ping the address...needless to say after that the real fun started! Found some old dusty binder in our storage area with a list of ip addresses put together by some vendor.....and there it was

Thanks again for your help.... I beleive this is the 2nd problem on the ISA server that you've hooked me up with!

Thanks, it is greatly appreciated!

Tim
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16617379
Glad to be of service Tim and yes, this is the second. Most of us on firewalls have our niche areas. lrmoore, nodisco, calvinetter and others seem to deal with the Cisco's, some deal with the Checkpoint & Netscreen devices, Some of us including me deal with ISA.

regards and have a good weekend.

keith
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month19 days, 13 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question