?
Solved

ISA 2004 Dropping HTTPS Connection

Posted on 2006-05-04
33
Medium Priority
?
7,413 Views
Last Modified: 2013-11-16
We've been running ISA 2004 since it's early release, without problems. We have serveral HTTPS sites the clients use, however we've started a new client which we access their HTTPS serveral times a day. We have several users experiencing the same problem, we can log in but after 10 - 20 minutes get knocked out. I watched the live logging and I can see the intial connections from clients, then a connection back from the HTTPS site. Then I can see the the traffic being denied, like so:
TCP      Unidentified IP Traffic      209.16.243.84      62077            170.224.182.228            Denied Connection            5/4/2006 12:12:21 PM                  -      -            0x0                        443      0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

I've created a rule allowing the connection to see if that would help. What else can i look for
0
Comment
Question by:DFCRJ
  • 17
  • 16
33 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16608244
Don't want to bore you with drivel so I'll cut to the chase. like many products of its ilk, ISA uses stateful packet inspection and dynamic filters to create a table of traffic that flows through it. It will remember that a connection has been made from address x to address y on port z. It therefore 'expects' to see traffic come back from address y to address x. Hey, no suprises there.

the process uses a three way handshake on tcp. The originator askes for a connection to be established. the destination responds back saying OK. The originator acknowledges the OK and the conversation commences and the table is fully formed.

The error message is saying that a packet has come in from the destination stating that it is replying to a request from the originator. ISA doesn't believe this as it cannot find a corresponding entry in its tables showing that the conversatin was set up in the first place. ISA decides this is a 'syn attack' and drops the packet. If this is actually a valid conversation (and ISA screws up) then the connectuion will hang as the originator is still waiting for a response (that has now been dropped) and the destination is waiting for you to reply. Remeber the packet has already been acknowledged as received by ISA before it decides to drop the packet. Now you have both ends sitting there thinking the other end is being ignorant.

That said....

have you got all of the ISA service packs installed?
Any errors in the windows event log?
Any errors in the ISA alerts? (monitoring - alerts)
Is there a particular page/action being undertaken on the https web site when the condition often appears?
What is the MTU values set to on the ISA external interfaces and the external router?

regards
Keith
ISA MCT

0
 

Author Comment

by:DFCRJ
ID: 16608382
(1) No - I'll update the SP1 immediately to eliminate that
(2) In the event log:
Event Type:      Warning
Event Source:      Microsoft Firewall
Event Category:      Packet filter
Event ID:      15105
Date:            5/4/2006
Time:            12:12:23 PM
User:            N/A
Computer:      DFRSVR5
Description:
ISA Server detected an all port scan attack from Internet Protocol (IP) address 170.224.182.228.

 (3) just came in: Description: ISA Server detected a port scan attack from Internet Protocol (IP) address 170.224.182.228. A well-known port is any port in the range of 1-2048.

(4) No, I was idle for 1 minute and got kicked out the next time it sat there 5 minutes. Everyone is different

(5) MTU is 1300 decimal


thanks

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16608812
OK. The port scan can be turned off temporarily. A lot of people see this as an issue but ISA2006 seems to be a lot less sensitive.
open the gui.
Select configuration - general - intrusion detection.
Bottom option should be port scan. Untick it and save policy

See if the problem persists.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:DFCRJ
ID: 16608849
Ok, done - I'm starting the connection now
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16608896
If you are still running the live log, would be worthwhile checking the error doesn't change.
0
 

Author Comment

by:DFCRJ
ID: 16608975
We're going down like flies. I had a couple of other users connect also 3 minutes to 5 minutes.
Here's the live log.
Method      URL      Network Interface      Error Information      Destination Host Name      Source Proxy      Destination Proxy      Source Port      Result Code
0.0.0.0                         DFRSVR5      -      -                  -                  0      0      0            0x0      Firewall      TCP      Unidentified IP Traffic      209.16.243.84           6048            170.224.182.228            Denied Connection            5/4/2006 2:17:03 PM                  -      -            0x0                        443      0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16609045
OK.

We've tried the stock answer; had to be done. Assuming you have now installed the service pack:

Can you place/do you have a workstation between the isa server and the external gateway/router/firewall?
(www.ethereal.com) ethereal is a free protocol analyser. Can you download and install please?

What we are doing is monitoring the traffic that comes into ISA through your external interfaces. We are looking for return packets that may not have the SYN bit set. in addition, we can test the SSL connection external from ISA to ensure that there is not a wider issue.

Also, how are your clients connecting?
SecureNAT?
Web Proxy?
ISA firewall?
combination ot the above?
0
 

Author Comment

by:DFCRJ
ID: 16609234
Ok got it
All clients as connecting SecureNAT/Web Proxy - I'm going to test the client piece -
0
 

Author Comment

by:DFCRJ
ID: 16609290
Actually my workstation is behind the ISA. Their is no other connection between the ISA and the router
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16609293
Thanks. So your traffic should be hitting the ISA for internal users on port 8443, correct? (as you are using the proxy client).
Configured in gui. - configuration - networks - internal - web proxy

option to enable http & https
0
 

Author Comment

by:DFCRJ
ID: 16609311
well actually, they have http 8080 and the https 8443 is not checked
0
 

Author Comment

by:DFCRJ
ID: 16609412
hey thanks for everything your doing, I have to leave now and go get my kids. I'm going to try and work on this tonight from home. I want to see how long I can stay connected from there.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16609479
OK
So you are web proxying http but just Secure NATting https. Thats cool. In this fashion, ISA is just 'handing on' the https on to the external router/firewall after nat'ting whereas the http is terminated on the ISA and a new connection created for on-going. Sorry if I am being boring but just trying to fill in the detail for you.

Personally, (given any constraints you may have on a production network etc), I would enable the https proxy; set my ie browser to use 8443 for https traffic and retest. An alternative test would be to sit at the ISA server; turn off the proxy settings on the ISA server browser, and see what happens when you visit the site. You will need to have ensured that the 'local host' has been added to the allowed outgoing devices in the 'from' box.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16609485
OK, Its now 9.30PM here but i will be around in the morning to pick up any messages and try to reply.

regards
keith
ISA MCT
0
 

Author Comment

by:DFCRJ
ID: 16611526
thanks for all your help, I've worked on this thing and still cant get it. I'm running test at home and office (VPN) to see if a time out is occuring. I'm traveling tomorrow so cant look at it again until Saturday. If I discover something, I'll post.
0
 

Author Comment

by:DFCRJ
ID: 16611577
Ok, well I was disconnected exactly 13 minutes in from my Workstation, from my home pc I'm still going strong
The error at the exact time was my Internal to External Rule, it wasnt a deny but rather a Failed Connection Attempt if that provides any clue.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16612239
OK. I've added this call to my list.
0
 

Author Comment

by:DFCRJ
ID: 16623375
Well, I've read, studied, tested and cried but none of it helped. However, something interesting happened yesterday afternoon that was puzzling. I had to go to a meeting in another office of ours that's connected thur VPN with a PIX. Their internet of course goes thru our ISA box, they were giving a presentation back to their HTTPS site and they did so without every lossing connection. If fact it was the exact same site all the other users are lossing connection. The only difference between was (A) the laptop being used in the demo was not part of our domain, just a guest (2) Their IE proxy server were blank of course.

So I was thinking, if I could change the ISA to allow connections to https when the IE proxy setting were not checked, maybe it would work.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16624513
open the gui,
select configuration - networks - internal - webproxy.
Untick the use https section. Now ISA will accept ssl on 443 from clients not 8443. This option should not have been selected though; in fact I have never seen it turned on before.

Will you humour me for a minute and have a look at this link? This is what I use for this.
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/client_ssl.mspx?pf=true
0
 

Author Comment

by:DFCRJ
ID: 16629951
thanks for the link. On the Webproxy, the https was not checked only the http for 8080.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16632306
Has the link helped though, that will be the test :)
0
 

Author Comment

by:DFCRJ
ID: 16634387
I went thru the link - but i havent created a cert to add anywhere. I'd already had the access rule in place.
But here's something. If I connect to the site and then uncheck my proxy settings from IE - the connection never drops. had to people test it today for 6 hours. No problem.

Should I remove the GP for all users and not use web proxy and only have securenat clients?? What would happpen??
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16634797
You would simply be using ISA as a packet filter/firewall rather than a proxy server.
0
 

Author Comment

by:DFCRJ
ID: 16634965
forgive me, but would that make a huge difference in security, etc?
I'd like to install the FWC eventually anyway
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 16636818
Not necessarily, depends on the config. The fact that all traffic will still pass through ISA anyway (as you are SecureNAT) means that you can still filter all traffic in and out. the difference though is that you are not using ISA to 'proxy' your traffic for you. In effect, ISA is acting more like a router now with access control lists; it is still providing security but in a different way.

If you having success by just using SecureNAT, that is a huge step forward.

What if you put the ie proxy settings back in but use port 80 in the port number box rather than port 8080 for all protocols? This is called transparent Proxy. Does the connection carry on working or does it timeout?






0
 

Author Comment

by:DFCRJ
ID: 16638370
When I place the 80 in I cant go to any website - http or https.

I guess I can separate those users for this particular web site and have them be secure nat only... Not something I want but a workaround.
0
 

Author Comment

by:DFCRJ
ID: 16638617
Well looking at the logs now I see ISA denying my connection to the Local Host on port 8080 while I'm connected to the site. I have no idea why or how it's doing that. Do you by chance know any good articles I can read on the basis of ISA 2004. I've been to ISASERVER but to much information.
Anyway, I'm tired of these and you probably are to so I'll do a work around and it I stumble onto something I'll let you know.
Thanks for all your help, very much appreciated.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16639068
Your welcome, this has indeed been a bit of a pig.

port 8080 is the ISA server webproxy port. On my own ISA servers, I have a rule allowing ALL protocols between internal & localhost and vice versa. I then control what traffic can go between local host to external and also internal to external.

I will put some links into this post this evening when I get home from work.

Regards
Keith
0
 

Author Comment

by:DFCRJ
ID: 16657369
Thanks for all the help, I'll centainly read up.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16660559
:)
0
 

Author Comment

by:DFCRJ
ID: 16660599
Hey check this out, after thinking about it, I enabled the SOCKS v4 Filter inside the Add-Ins, then changed the SOCKS port from 8080 to 1080 inside IE and connected to the https site - stayed connected this morning for over 3 hours!!
Beats me, but it must be something on the web site thats unique :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16660648
lol, thats a new one on me!! Thanks for the tip
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Is your organization moving toward a cloud and mobile-first environment? In this transition, your IT department will encounter many challenges, such as navigating how to: Deploy new applications and services to a growing team Accommodate employee…
Suggested Courses
Course of the Month8 days, 13 hours left to enroll

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question