Solved

cannot telnet on port 443 on LAN

Posted on 2007-03-27
14
4,080 Views
Last Modified: 2008-11-18
HI Experts,

just got a little problem, i cannot telnet from my ISA server to my SMTP server on port 443.
I have allowed all access from isa to the smtp server on 443, but each time i try it, connection is refused
i can telnet from ISA box to the server on port 25 and port 80, but it refuses connection on port 443.

any suggestions?
0
Comment
Question by:demolition_unit
  • 5
  • 4
  • 2
  • +2
14 Comments
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18805690
SMTP should be running on port 25... not 443.  Unless you've changed it for some reason?
0
 

Author Comment

by:demolition_unit
ID: 18805694
let me clarify, i cannot telnet from a server called "ISA1" to a server called "smtp1" on port 443 (HTTPS)
both servers are on my LAN, if i telnet to "smtp1" on port 25 or 80 it works fine, but if i telnet on port 443 i get a connection refused...
0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 18806084
Hi

on smtp1 can you run the following command

netstat -an | find ":443"
Is the server actually listening on port 433?
If it is can you connect locally via port 443 on Smpt1

In ISS manager: expand "web sites" node and right click on "default web site" and  select properties.
Select "Directory security" tab , click edit under" ip address and domain name restrictions"
Is your ISA1 server IP address denied

Note: 443 wil not respond to get commands in the same way as on port 80.


0
 
LVL 4

Expert Comment

by:groetting
ID: 18806425
You do know that port 443 is the SSL port right? I assume you are using telnet to check if the port is accepting connections. Have you tried telnetting to localhost 443 on the smtp1 server? If that works, try telnetting to the ip of smtp1 from smtp1 just to confirm it replies to both actions. If it works locally on smtp1 and not from the other host, there still is a problem with firewall/access rules
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 18807244
Connection refused generally does mean that the IIS service that is providing the port is set to accept connections from selected ip addresses only OR it is anticipating a certificate/authentication pass of some kind.  Generally speaking if the port was not open then you would get a timeout message rather than a connection refused.

Netstat -an on its own will list all of the ports and whether they are tcp, udp or in some cases both that the server has listening ports for. It also reports if the port is listening for connections, is already in a conversation or is in the process of closing a connection/recently closed a connection. Entries that show 0.0.0.0 mean that the server is listening on any of its available ip addresses (ie not set to a specific if you have multiple nics etc).

have you set the firewall policy rule in both directions?
ie port 443 from smtp server & local host TO smtp server & local host?

Normally this is not required as the forwarding would be handled by the publishing rule for OWA or similar anyway but if you are trying to do it from the ISA itself then you will need the rule I mentioned.

0
 

Author Comment

by:demolition_unit
ID: 18812686
suggestionstick:
i've tried netstat -an | find ":443" on the server, and there are NO results, seems like it's not listening on 443
in IIS manager there is no default website, the only thing installed on this server is the SMTP service, so that's the only thing that can be seen in IIS mgr.

0
 

Author Comment

by:demolition_unit
ID: 18812700
groetting:

telnetting to localhost 443 on the smtp1 (and with the IP address) server does not work. i get a "connection failed" message
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:demolition_unit
ID: 18812709
Keith:
my mistake, on telnet i recieve a "connection failed" message. I have tried opening ISA up both ways, but that wont seem to fix the problem.

a netstat -an does not show 443 being listened to at all...
0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 18812979
Hi

If the server Smtp1 is not listening on 443 then you will not be able to telnet to it no matter where you are, or what firewall rules you have in place.

I think you should focus on why 443 is not listening on SMTP1

Can you type the following command

netstat -anb | find ":80"
and copy/paste

thanks in advance

Trev
0
 
LVL 11

Expert Comment

by:AnthonyP9618
ID: 18813006
By default IIS doesn't listen on 443, only 80.  You would actually have to set that up within IIS to get any type of listener on 443.
0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 18813010
Hi

The previous command in my post, will not supply the information I need, sorry about that.

Run Instead

netstat -anb and manually locate port 80, I need the owner process just listed below the 0.0.0.0:80

example

TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       1764
[inetinfo.exe]

Thanks in advance

Trev
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 250 total points
ID: 18814021
Demo, the previous comments do not compute, no offence :)

If the box is only running the smtp service which is on port 25, you would not have been able to connect to it through telnet on port 80 as per your first post.

Is this an exchange box by an chance?
can you http://servername/exchange and get the OWA screen up?
0
 
LVL 5

Expert Comment

by:suggestionstick
ID: 18814156
Hi


he was refering to IIS manager, it only had SMTP service listed, he could be running a non IIS web server on the box. This is why I asked for a netstat -anb for port 80, as it will should the owner process.  

Trev
0
 

Author Comment

by:demolition_unit
ID: 18840289
Hi Guys,

it turns out that i no longer need access to this server on port 443. we have decided to change our design.
i'm happy to increase the points to 250and split them amongst you guys :)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now