DFCRJ
asked on
ISA 2004 Dropping HTTPS Connection
We've been running ISA 2004 since it's early release, without problems. We have serveral HTTPS sites the clients use, however we've started a new client which we access their HTTPS serveral times a day. We have several users experiencing the same problem, we can log in but after 10 - 20 minutes get knocked out. I watched the live logging and I can see the intial connections from clients, then a connection back from the HTTPS site. Then I can see the the traffic being denied, like so:
TCP Unidentified IP Traffic 209.16.243.84 62077 170.224.182.228 Denied Connection 5/4/2006 12:12:21 PM - - 0x0 443 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_D ROPPED
I've created a rule allowing the connection to see if that would help. What else can i look for
TCP Unidentified IP Traffic 209.16.243.84 62077 170.224.182.228 Denied Connection 5/4/2006 12:12:21 PM - - 0x0 443 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_D
I've created a rule allowing the connection to see if that would help. What else can i look for
ASKER
(1) No - I'll update the SP1 immediately to eliminate that
(2) In the event log:
Event Type: Warning
Event Source: Microsoft Firewall
Event Category: Packet filter
Event ID: 15105
Date: 5/4/2006
Time: 12:12:23 PM
User: N/A
Computer: DFRSVR5
Description:
ISA Server detected an all port scan attack from Internet Protocol (IP) address 170.224.182.228.
(3) just came in: Description: ISA Server detected a port scan attack from Internet Protocol (IP) address 170.224.182.228. A well-known port is any port in the range of 1-2048.
(4) No, I was idle for 1 minute and got kicked out the next time it sat there 5 minutes. Everyone is different
(5) MTU is 1300 decimal
thanks
(2) In the event log:
Event Type: Warning
Event Source: Microsoft Firewall
Event Category: Packet filter
Event ID: 15105
Date: 5/4/2006
Time: 12:12:23 PM
User: N/A
Computer: DFRSVR5
Description:
ISA Server detected an all port scan attack from Internet Protocol (IP) address 170.224.182.228.
(3) just came in: Description: ISA Server detected a port scan attack from Internet Protocol (IP) address 170.224.182.228. A well-known port is any port in the range of 1-2048.
(4) No, I was idle for 1 minute and got kicked out the next time it sat there 5 minutes. Everyone is different
(5) MTU is 1300 decimal
thanks
OK. The port scan can be turned off temporarily. A lot of people see this as an issue but ISA2006 seems to be a lot less sensitive.
open the gui.
Select configuration - general - intrusion detection.
Bottom option should be port scan. Untick it and save policy
See if the problem persists.
open the gui.
Select configuration - general - intrusion detection.
Bottom option should be port scan. Untick it and save policy
See if the problem persists.
ASKER
Ok, done - I'm starting the connection now
If you are still running the live log, would be worthwhile checking the error doesn't change.
ASKER
We're going down like flies. I had a couple of other users connect also 3 minutes to 5 minutes.
Here's the live log.
Method URL Network Interface Error Information Destination Host Name Source Proxy Destination Proxy Source Port Result Code
0.0.0.0 DFRSVR5 - - - 0 0 0 0x0 Firewall TCP Unidentified IP Traffic 209.16.243.84 6048 170.224.182.228 Denied Connection 5/4/2006 2:17:03 PM - - 0x0 443 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_D ROPPED
Here's the live log.
Method URL Network Interface Error Information Destination Host Name Source Proxy Destination Proxy Source Port Result Code
0.0.0.0 DFRSVR5 - - - 0 0 0 0x0 Firewall TCP Unidentified IP Traffic 209.16.243.84 6048 170.224.182.228 Denied Connection 5/4/2006 2:17:03 PM - - 0x0 443 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_D
OK.
We've tried the stock answer; had to be done. Assuming you have now installed the service pack:
Can you place/do you have a workstation between the isa server and the external gateway/router/firewall?
(www.ethereal.com) ethereal is a free protocol analyser. Can you download and install please?
What we are doing is monitoring the traffic that comes into ISA through your external interfaces. We are looking for return packets that may not have the SYN bit set. in addition, we can test the SSL connection external from ISA to ensure that there is not a wider issue.
Also, how are your clients connecting?
SecureNAT?
Web Proxy?
ISA firewall?
combination ot the above?
We've tried the stock answer; had to be done. Assuming you have now installed the service pack:
Can you place/do you have a workstation between the isa server and the external gateway/router/firewall?
(www.ethereal.com) ethereal is a free protocol analyser. Can you download and install please?
What we are doing is monitoring the traffic that comes into ISA through your external interfaces. We are looking for return packets that may not have the SYN bit set. in addition, we can test the SSL connection external from ISA to ensure that there is not a wider issue.
Also, how are your clients connecting?
SecureNAT?
Web Proxy?
ISA firewall?
combination ot the above?
ASKER
Ok got it
All clients as connecting SecureNAT/Web Proxy - I'm going to test the client piece -
All clients as connecting SecureNAT/Web Proxy - I'm going to test the client piece -
ASKER
Actually my workstation is behind the ISA. Their is no other connection between the ISA and the router
Thanks. So your traffic should be hitting the ISA for internal users on port 8443, correct? (as you are using the proxy client).
Configured in gui. - configuration - networks - internal - web proxy
option to enable http & https
Configured in gui. - configuration - networks - internal - web proxy
option to enable http & https
ASKER
well actually, they have http 8080 and the https 8443 is not checked
ASKER
hey thanks for everything your doing, I have to leave now and go get my kids. I'm going to try and work on this tonight from home. I want to see how long I can stay connected from there.
OK
So you are web proxying http but just Secure NATting https. Thats cool. In this fashion, ISA is just 'handing on' the https on to the external router/firewall after nat'ting whereas the http is terminated on the ISA and a new connection created for on-going. Sorry if I am being boring but just trying to fill in the detail for you.
Personally, (given any constraints you may have on a production network etc), I would enable the https proxy; set my ie browser to use 8443 for https traffic and retest. An alternative test would be to sit at the ISA server; turn off the proxy settings on the ISA server browser, and see what happens when you visit the site. You will need to have ensured that the 'local host' has been added to the allowed outgoing devices in the 'from' box.
So you are web proxying http but just Secure NATting https. Thats cool. In this fashion, ISA is just 'handing on' the https on to the external router/firewall after nat'ting whereas the http is terminated on the ISA and a new connection created for on-going. Sorry if I am being boring but just trying to fill in the detail for you.
Personally, (given any constraints you may have on a production network etc), I would enable the https proxy; set my ie browser to use 8443 for https traffic and retest. An alternative test would be to sit at the ISA server; turn off the proxy settings on the ISA server browser, and see what happens when you visit the site. You will need to have ensured that the 'local host' has been added to the allowed outgoing devices in the 'from' box.
OK, Its now 9.30PM here but i will be around in the morning to pick up any messages and try to reply.
regards
keith
ISA MCT
regards
keith
ISA MCT
ASKER
thanks for all your help, I've worked on this thing and still cant get it. I'm running test at home and office (VPN) to see if a time out is occuring. I'm traveling tomorrow so cant look at it again until Saturday. If I discover something, I'll post.
ASKER
Ok, well I was disconnected exactly 13 minutes in from my Workstation, from my home pc I'm still going strong
The error at the exact time was my Internal to External Rule, it wasnt a deny but rather a Failed Connection Attempt if that provides any clue.
The error at the exact time was my Internal to External Rule, it wasnt a deny but rather a Failed Connection Attempt if that provides any clue.
OK. I've added this call to my list.
ASKER
Well, I've read, studied, tested and cried but none of it helped. However, something interesting happened yesterday afternoon that was puzzling. I had to go to a meeting in another office of ours that's connected thur VPN with a PIX. Their internet of course goes thru our ISA box, they were giving a presentation back to their HTTPS site and they did so without every lossing connection. If fact it was the exact same site all the other users are lossing connection. The only difference between was (A) the laptop being used in the demo was not part of our domain, just a guest (2) Their IE proxy server were blank of course.
So I was thinking, if I could change the ISA to allow connections to https when the IE proxy setting were not checked, maybe it would work.
So I was thinking, if I could change the ISA to allow connections to https when the IE proxy setting were not checked, maybe it would work.
open the gui,
select configuration - networks - internal - webproxy.
Untick the use https section. Now ISA will accept ssl on 443 from clients not 8443. This option should not have been selected though; in fact I have never seen it turned on before.
Will you humour me for a minute and have a look at this link? This is what I use for this.
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/client_ssl.mspx?pf=true
select configuration - networks - internal - webproxy.
Untick the use https section. Now ISA will accept ssl on 443 from clients not 8443. This option should not have been selected though; in fact I have never seen it turned on before.
Will you humour me for a minute and have a look at this link? This is what I use for this.
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/client_ssl.mspx?pf=true
ASKER
thanks for the link. On the Webproxy, the https was not checked only the http for 8080.
Has the link helped though, that will be the test :)
ASKER
I went thru the link - but i havent created a cert to add anywhere. I'd already had the access rule in place.
But here's something. If I connect to the site and then uncheck my proxy settings from IE - the connection never drops. had to people test it today for 6 hours. No problem.
Should I remove the GP for all users and not use web proxy and only have securenat clients?? What would happpen??
But here's something. If I connect to the site and then uncheck my proxy settings from IE - the connection never drops. had to people test it today for 6 hours. No problem.
Should I remove the GP for all users and not use web proxy and only have securenat clients?? What would happpen??
You would simply be using ISA as a packet filter/firewall rather than a proxy server.
ASKER
forgive me, but would that make a huge difference in security, etc?
I'd like to install the FWC eventually anyway
I'd like to install the FWC eventually anyway
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I place the 80 in I cant go to any website - http or https.
I guess I can separate those users for this particular web site and have them be secure nat only... Not something I want but a workaround.
I guess I can separate those users for this particular web site and have them be secure nat only... Not something I want but a workaround.
ASKER
Well looking at the logs now I see ISA denying my connection to the Local Host on port 8080 while I'm connected to the site. I have no idea why or how it's doing that. Do you by chance know any good articles I can read on the basis of ISA 2004. I've been to ISASERVER but to much information.
Anyway, I'm tired of these and you probably are to so I'll do a work around and it I stumble onto something I'll let you know.
Thanks for all your help, very much appreciated.
Anyway, I'm tired of these and you probably are to so I'll do a work around and it I stumble onto something I'll let you know.
Thanks for all your help, very much appreciated.
Your welcome, this has indeed been a bit of a pig.
port 8080 is the ISA server webproxy port. On my own ISA servers, I have a rule allowing ALL protocols between internal & localhost and vice versa. I then control what traffic can go between local host to external and also internal to external.
I will put some links into this post this evening when I get home from work.
Regards
Keith
port 8080 is the ISA server webproxy port. On my own ISA servers, I have a rule allowing ALL protocols between internal & localhost and vice versa. I then control what traffic can go between local host to external and also internal to external.
I will put some links into this post this evening when I get home from work.
Regards
Keith
http filtering
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx#ERWAE
Proxt traffic
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx
Web server Publishing
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/publishingwebservers.mspx
general good info
http://www.techtutorials.info/2003isa.html
Regards
keith
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx#ERWAE
Proxt traffic
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx
Web server Publishing
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/publishingwebservers.mspx
general good info
http://www.techtutorials.info/2003isa.html
Regards
keith
ASKER
Thanks for all the help, I'll centainly read up.
:)
ASKER
Hey check this out, after thinking about it, I enabled the SOCKS v4 Filter inside the Add-Ins, then changed the SOCKS port from 8080 to 1080 inside IE and connected to the https site - stayed connected this morning for over 3 hours!!
Beats me, but it must be something on the web site thats unique :)
Beats me, but it must be something on the web site thats unique :)
lol, thats a new one on me!! Thanks for the tip
the process uses a three way handshake on tcp. The originator askes for a connection to be established. the destination responds back saying OK. The originator acknowledges the OK and the conversation commences and the table is fully formed.
The error message is saying that a packet has come in from the destination stating that it is replying to a request from the originator. ISA doesn't believe this as it cannot find a corresponding entry in its tables showing that the conversatin was set up in the first place. ISA decides this is a 'syn attack' and drops the packet. If this is actually a valid conversation (and ISA screws up) then the connectuion will hang as the originator is still waiting for a response (that has now been dropped) and the destination is waiting for you to reply. Remeber the packet has already been acknowledged as received by ISA before it decides to drop the packet. Now you have both ends sitting there thinking the other end is being ignorant.
That said....
have you got all of the ISA service packs installed?
Any errors in the windows event log?
Any errors in the ISA alerts? (monitoring - alerts)
Is there a particular page/action being undertaken on the https web site when the condition often appears?
What is the MTU values set to on the ISA external interfaces and the external router?
regards
Keith
ISA MCT