Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ISA Server changes HTTPS requests to HTTP://mydomain.com:443 requests when SSL bridging. Urgent help needed to stop this.

Posted on 2006-11-20
10
806 Views
Last Modified: 2008-03-17
I have had an existing SSL bridge working. I have just changed the certificate and the rule has stopped functioning.
I believe the cause to be that the url is being translated to a HTTP://mydomain.com:443 format from a standard HTTPS://mydomain.com type url.
I really need to make sure that ISA 2004 passes on the HTTPS in the URL. If not I get the following probs...

I get the following error in IE:
=====================
Bad Request
Your browser sent a request that this server could not understand.
Request header field is missing colon separator.

iewslive/fwivhor.fwwp_main.show HTTP/1.1
--------------------------------------------------------------------------------
Oracle HTTP Server Powered by Apache/1.3.19 Server at propman.thecrownestate.co.uk Port 443
=====================

and the following error on my SSL Apache server.
====================
ssl_engine_log
------------------
[20/Nov/2006 10:43:00 02040] [error] SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows)
[20/Nov/2006 10:43:00 02040] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?]
====================
0
Comment
Question by:ner_1808
  • 5
  • 3
10 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17978826
have you got all of the isa2004 service packs and rollup patches installed? There were a couple of issues 'fixed' by SP2 then corrected again by the follow up patches.

How are you bridging? https - https?
Have you tried backuping up the config then deleting the publishing rule then recreating it? has anything changed in the config/status recently beside the change of certificates?

If you open the ISA gui, select monitoring - logging - click on start query, what do you see in the log? it won't be much as obviously ISA cannot determine what is in the encrypted pipes but you should see any failures or translations at the point ISA tries to create the bridged connection.

If you view the certificates themselves, any issues seen with them? ISA may revert to http if the certificate is not validated as the environment for SSL would not be met.

Regards
keith



0
 
LVL 2

Author Comment

by:ner_1808
ID: 17979304
I can browse from the ISA server to the offending Web server using the HTTPS:// url format.
However I get as above when using the HTTP://www.mydomain.com:443/ url format, which is what is logged in ISA as the URL when attempting an external connection.
The error returned to the browser is
Error Code:500 Internal Server Error. The target principal name is incorrect (-2146893022)

However I think this is misleading as I can use the exact url from the ISA machine itself going direct to the web server. We have partitioned the DNS internally and externally.

When I browse to the server from the ISA machine the Certificate loads up fine. It is a wildcard certificate so is used fo several other HTTPS to HTTP bridging and works fine externally.

As far as changes go, other than replacing the certificate on one of the listeners I have now attempted to create new rules using the wizard, but the result is the same.
Thanks
Nicholas
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17980506
Can you give details on the certificate that has been placed on the ISA server? Creating the connection from the ISA directly will initiate a single-hop connection and will not use the ISA's certificate as an authenticator. Also, generating the connection from the ISA server is a different scenario; the source will be the internal nic of the ISA server and therefore does not use the pass-through/bridging elements that are contained within the rule.

Regards
K
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Author Comment

by:ner_1808
ID: 17997979
I have finally solved this problem. Much wasted time with erroneous error messages. It turns out that ISA Server 2004 is designed to NOT accept wildcard certificates used internally. Only external wildcard certificates allowed and internal ones must be single host named ones. It would be nice if the ISA logs indicated that this might be the issue and I could have saved about 15 hours of research and attempted fixing.

Thanks for your help anyway.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17998576
Your info is correct hence the direction of my questions to you

<< Can you give details on the certificate that has been placed on the ISA server >>
<< If you view the certificates themselves, any issues seen with them? ISA may revert to http if the certificate is not validated as the environment for SSL would not be met.  >>

This position is stated on a number of Microsoft forums and is also mentioned on a number of ISA questions I have resolved in the past here on Experts-Exchange. Probably my fault, I should have asked 'what is the difference between the certificate that worked and now?'.

0
 
LVL 2

Author Comment

by:ner_1808
ID: 18001614
I should have mentioned that I was using wildcard certificates! I probably would have if any of the errors or logs had indicated that there was an issue with the cert. Live and learn!
Thanks for your help anyway. Much appreciated.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18004386
:)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18012134
OK with me
Keith
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 18046638
Closed, 500 points refunded.
DarthMod
Community Support Moderator
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used.

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question