[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

HTTPS access through ISA 2006

Posted on 2007-03-28
10
Medium Priority
?
6,898 Views
Last Modified: 2011-08-18
We are running Windows 2003 domain with Exchange 2003, SharePoint 2003, SQL 2005, And ISA 2006 std. One of our clients has a https:// site we need to access and we can not. It times out. I have added rules in ISA to allow access to the site and all https sites. (which we can access all except this one) with no luck. Whem I access it from home on my company laptop it works fine. Can ISA be blocking the certs issued by the site? If so how do I change it? Any other input would be helpful.
DLW
0
Comment
Question by:dwarren0940
  • 5
  • 3
  • 2
10 Comments
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808180
I am assuming this is outside your internal network?
Are you using the Firewall client at all? Are you using ISA as a Proxy?

Have you turned up the logging, looking for requests JUST for that website to narrow down what is causing the problem? Customize the filter and filter for that website specifically and look to see what is going on with the connections.

Unlikely that ISA is blocking certs. If that were the case, it would block all certs from other HTTPS sites.

What happens when you do a 'nslookup <domain>' on a few machines on your network? Does it resolve.

Lets see if we can get this cleared up for you.

-Jason
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18808249
Yes we are using firewall client and proxy. But i took one machine off the domain killed all firewalls and bypassed the switch that had ISA on it and hook direct to the external router.(The external is the one ISA uses though) and still timed out. I will get the log files and post them.
David
0
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808258
So the computer you plugged  directly into the router timed out accessing that specific website?

Could it access other websites?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:dwarren0940
ID: 18808374
Yes, this is a gov site. I could access the one https but not he one I needed.
0
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808428
Interesting. If you can't access it from outside the ISA Firewall, but can access everything else...

Did you clear your dns cache by chance? Just something else to do.

I just find it very interesting that you can not even access this website when plugged directly into your router, BUT, you can get every where else...

0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18808516
Very furstrating. I took a laptop home and logged in fine from home. Opened a VPN into our network while in the site and lost the connection and could not get it back. Talked to their IT people and they say we are not even hitting them. But I show their IP in sniffer so we must be hitting the site. Here is the ISA log.
Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
192.168.100.12                        ISASERV      -            TCP      -                        Yes            -                        3/28/2007 2:38:20 PM      49428      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -      3/28/2007 10:38:20 AM      198.97.73.33      443      HTTPS      Initiated Connection      https      192.168.100.12            Internal      External      -      -
192.168.100.12                        ISASERV      -            TCP      -                        Yes            -                        3/28/2007 2:39:29 PM      49428      69000      152      0      0xc0040038 FWX_E_TCP_NO_SERVER_REPLY            0x0      0x0      Firewall      -      3/28/2007 10:39:29 AM      198.97.73.33      443      HTTPS      Closed Connection      https      192.168.100.12            Internal      External      -      -
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1000 total points
ID: 18811329
I doubt that you have posted the full log here.  that said, the reason you cannot connect is that the destination server is reporting that the number of connections it is allowed to make simultaneously has been exceeded.

This can be corrected in a number of ways in ISa, predominantly by extending the http timeout parameters but this position is 'queered' a little by the fact that you can repeat the symptoms when connected on the outside of ISA also.
What device do you have between ISA and your internet connection?
Does it have syslog capabilities?

Keith
ISA MCT
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18812754
This is the full log with the filter added for the site. The only device between the ISA server and the internet is a switch and the T-1 router. YEs it has syslog capabilities.
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18812762
Keith, I doubled the time out, 5000ms to 10000ms and I got in. Not sure why it worked but it did.  Thanks
David
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18813949
Welcome :)
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month17 days, 16 hours left to enroll

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question