Link to home
Start Free TrialLog in
Avatar of DFCRJ
DFCRJFlag for United States of America

asked on

ISA 2004 Dropping HTTPS Connection

We've been running ISA 2004 since it's early release, without problems. We have serveral HTTPS sites the clients use, however we've started a new client which we access their HTTPS serveral times a day. We have several users experiencing the same problem, we can log in but after 10 - 20 minutes get knocked out. I watched the live logging and I can see the intial connections from clients, then a connection back from the HTTPS site. Then I can see the the traffic being denied, like so:
TCP      Unidentified IP Traffic      209.16.243.84      62077            170.224.182.228            Denied Connection            5/4/2006 12:12:21 PM                  -      -            0x0                        443      0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

I've created a rule allowing the connection to see if that would help. What else can i look for
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Don't want to bore you with drivel so I'll cut to the chase. like many products of its ilk, ISA uses stateful packet inspection and dynamic filters to create a table of traffic that flows through it. It will remember that a connection has been made from address x to address y on port z. It therefore 'expects' to see traffic come back from address y to address x. Hey, no suprises there.

the process uses a three way handshake on tcp. The originator askes for a connection to be established. the destination responds back saying OK. The originator acknowledges the OK and the conversation commences and the table is fully formed.

The error message is saying that a packet has come in from the destination stating that it is replying to a request from the originator. ISA doesn't believe this as it cannot find a corresponding entry in its tables showing that the conversatin was set up in the first place. ISA decides this is a 'syn attack' and drops the packet. If this is actually a valid conversation (and ISA screws up) then the connectuion will hang as the originator is still waiting for a response (that has now been dropped) and the destination is waiting for you to reply. Remeber the packet has already been acknowledged as received by ISA before it decides to drop the packet. Now you have both ends sitting there thinking the other end is being ignorant.

That said....

have you got all of the ISA service packs installed?
Any errors in the windows event log?
Any errors in the ISA alerts? (monitoring - alerts)
Is there a particular page/action being undertaken on the https web site when the condition often appears?
What is the MTU values set to on the ISA external interfaces and the external router?

regards
Keith
ISA MCT

Avatar of DFCRJ

ASKER

(1) No - I'll update the SP1 immediately to eliminate that
(2) In the event log:
Event Type:      Warning
Event Source:      Microsoft Firewall
Event Category:      Packet filter
Event ID:      15105
Date:            5/4/2006
Time:            12:12:23 PM
User:            N/A
Computer:      DFRSVR5
Description:
ISA Server detected an all port scan attack from Internet Protocol (IP) address 170.224.182.228.

 (3) just came in: Description: ISA Server detected a port scan attack from Internet Protocol (IP) address 170.224.182.228. A well-known port is any port in the range of 1-2048.

(4) No, I was idle for 1 minute and got kicked out the next time it sat there 5 minutes. Everyone is different

(5) MTU is 1300 decimal


thanks

OK. The port scan can be turned off temporarily. A lot of people see this as an issue but ISA2006 seems to be a lot less sensitive.
open the gui.
Select configuration - general - intrusion detection.
Bottom option should be port scan. Untick it and save policy

See if the problem persists.
Avatar of DFCRJ

ASKER

Ok, done - I'm starting the connection now
If you are still running the live log, would be worthwhile checking the error doesn't change.
Avatar of DFCRJ

ASKER

We're going down like flies. I had a couple of other users connect also 3 minutes to 5 minutes.
Here's the live log.
Method      URL      Network Interface      Error Information      Destination Host Name      Source Proxy      Destination Proxy      Source Port      Result Code
0.0.0.0                         DFRSVR5      -      -                  -                  0      0      0            0x0      Firewall      TCP      Unidentified IP Traffic      209.16.243.84           6048            170.224.182.228            Denied Connection            5/4/2006 2:17:03 PM                  -      -            0x0                        443      0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
OK.

We've tried the stock answer; had to be done. Assuming you have now installed the service pack:

Can you place/do you have a workstation between the isa server and the external gateway/router/firewall?
(www.ethereal.com) ethereal is a free protocol analyser. Can you download and install please?

What we are doing is monitoring the traffic that comes into ISA through your external interfaces. We are looking for return packets that may not have the SYN bit set. in addition, we can test the SSL connection external from ISA to ensure that there is not a wider issue.

Also, how are your clients connecting?
SecureNAT?
Web Proxy?
ISA firewall?
combination ot the above?
Avatar of DFCRJ

ASKER

Ok got it
All clients as connecting SecureNAT/Web Proxy - I'm going to test the client piece -
Avatar of DFCRJ

ASKER

Actually my workstation is behind the ISA. Their is no other connection between the ISA and the router
Thanks. So your traffic should be hitting the ISA for internal users on port 8443, correct? (as you are using the proxy client).
Configured in gui. - configuration - networks - internal - web proxy

option to enable http & https
Avatar of DFCRJ

ASKER

well actually, they have http 8080 and the https 8443 is not checked
Avatar of DFCRJ

ASKER

hey thanks for everything your doing, I have to leave now and go get my kids. I'm going to try and work on this tonight from home. I want to see how long I can stay connected from there.
OK
So you are web proxying http but just Secure NATting https. Thats cool. In this fashion, ISA is just 'handing on' the https on to the external router/firewall after nat'ting whereas the http is terminated on the ISA and a new connection created for on-going. Sorry if I am being boring but just trying to fill in the detail for you.

Personally, (given any constraints you may have on a production network etc), I would enable the https proxy; set my ie browser to use 8443 for https traffic and retest. An alternative test would be to sit at the ISA server; turn off the proxy settings on the ISA server browser, and see what happens when you visit the site. You will need to have ensured that the 'local host' has been added to the allowed outgoing devices in the 'from' box.

OK, Its now 9.30PM here but i will be around in the morning to pick up any messages and try to reply.

regards
keith
ISA MCT
Avatar of DFCRJ

ASKER

thanks for all your help, I've worked on this thing and still cant get it. I'm running test at home and office (VPN) to see if a time out is occuring. I'm traveling tomorrow so cant look at it again until Saturday. If I discover something, I'll post.
Avatar of DFCRJ

ASKER

Ok, well I was disconnected exactly 13 minutes in from my Workstation, from my home pc I'm still going strong
The error at the exact time was my Internal to External Rule, it wasnt a deny but rather a Failed Connection Attempt if that provides any clue.
OK. I've added this call to my list.
Avatar of DFCRJ

ASKER

Well, I've read, studied, tested and cried but none of it helped. However, something interesting happened yesterday afternoon that was puzzling. I had to go to a meeting in another office of ours that's connected thur VPN with a PIX. Their internet of course goes thru our ISA box, they were giving a presentation back to their HTTPS site and they did so without every lossing connection. If fact it was the exact same site all the other users are lossing connection. The only difference between was (A) the laptop being used in the demo was not part of our domain, just a guest (2) Their IE proxy server were blank of course.

So I was thinking, if I could change the ISA to allow connections to https when the IE proxy setting were not checked, maybe it would work.
open the gui,
select configuration - networks - internal - webproxy.
Untick the use https section. Now ISA will accept ssl on 443 from clients not 8443. This option should not have been selected though; in fact I have never seen it turned on before.

Will you humour me for a minute and have a look at this link? This is what I use for this.
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/client_ssl.mspx?pf=true
Avatar of DFCRJ

ASKER

thanks for the link. On the Webproxy, the https was not checked only the http for 8080.
Has the link helped though, that will be the test :)
Avatar of DFCRJ

ASKER

I went thru the link - but i havent created a cert to add anywhere. I'd already had the access rule in place.
But here's something. If I connect to the site and then uncheck my proxy settings from IE - the connection never drops. had to people test it today for 6 hours. No problem.

Should I remove the GP for all users and not use web proxy and only have securenat clients?? What would happpen??
You would simply be using ISA as a packet filter/firewall rather than a proxy server.
Avatar of DFCRJ

ASKER

forgive me, but would that make a huge difference in security, etc?
I'd like to install the FWC eventually anyway
ASKER CERTIFIED SOLUTION
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of DFCRJ

ASKER

When I place the 80 in I cant go to any website - http or https.

I guess I can separate those users for this particular web site and have them be secure nat only... Not something I want but a workaround.
Avatar of DFCRJ

ASKER

Well looking at the logs now I see ISA denying my connection to the Local Host on port 8080 while I'm connected to the site. I have no idea why or how it's doing that. Do you by chance know any good articles I can read on the basis of ISA 2004. I've been to ISASERVER but to much information.
Anyway, I'm tired of these and you probably are to so I'll do a work around and it I stumble onto something I'll let you know.
Thanks for all your help, very much appreciated.
Your welcome, this has indeed been a bit of a pig.

port 8080 is the ISA server webproxy port. On my own ISA servers, I have a rule allowing ALL protocols between internal & localhost and vice versa. I then control what traffic can go between local host to external and also internal to external.

I will put some links into this post this evening when I get home from work.

Regards
Keith
Avatar of DFCRJ

ASKER

Thanks for all the help, I'll centainly read up.
Avatar of DFCRJ

ASKER

Hey check this out, after thinking about it, I enabled the SOCKS v4 Filter inside the Add-Ins, then changed the SOCKS port from 8080 to 1080 inside IE and connected to the https site - stayed connected this morning for over 3 hours!!
Beats me, but it must be something on the web site thats unique :)
lol, thats a new one on me!! Thanks for the tip