?
Solved

HTTPS access through ISA 2006

Posted on 2007-03-28
10
Medium Priority
?
6,883 Views
Last Modified: 2011-08-18
We are running Windows 2003 domain with Exchange 2003, SharePoint 2003, SQL 2005, And ISA 2006 std. One of our clients has a https:// site we need to access and we can not. It times out. I have added rules in ISA to allow access to the site and all https sites. (which we can access all except this one) with no luck. Whem I access it from home on my company laptop it works fine. Can ISA be blocking the certs issued by the site? If so how do I change it? Any other input would be helpful.
DLW
0
Comment
Question by:dwarren0940
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808180
I am assuming this is outside your internal network?
Are you using the Firewall client at all? Are you using ISA as a Proxy?

Have you turned up the logging, looking for requests JUST for that website to narrow down what is causing the problem? Customize the filter and filter for that website specifically and look to see what is going on with the connections.

Unlikely that ISA is blocking certs. If that were the case, it would block all certs from other HTTPS sites.

What happens when you do a 'nslookup <domain>' on a few machines on your network? Does it resolve.

Lets see if we can get this cleared up for you.

-Jason
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18808249
Yes we are using firewall client and proxy. But i took one machine off the domain killed all firewalls and bypassed the switch that had ISA on it and hook direct to the external router.(The external is the one ISA uses though) and still timed out. I will get the log files and post them.
David
0
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808258
So the computer you plugged  directly into the router timed out accessing that specific website?

Could it access other websites?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 2

Author Comment

by:dwarren0940
ID: 18808374
Yes, this is a gov site. I could access the one https but not he one I needed.
0
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808428
Interesting. If you can't access it from outside the ISA Firewall, but can access everything else...

Did you clear your dns cache by chance? Just something else to do.

I just find it very interesting that you can not even access this website when plugged directly into your router, BUT, you can get every where else...

0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18808516
Very furstrating. I took a laptop home and logged in fine from home. Opened a VPN into our network while in the site and lost the connection and could not get it back. Talked to their IT people and they say we are not even hitting them. But I show their IP in sniffer so we must be hitting the site. Here is the ISA log.
Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
192.168.100.12                        ISASERV      -            TCP      -                        Yes            -                        3/28/2007 2:38:20 PM      49428      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -      3/28/2007 10:38:20 AM      198.97.73.33      443      HTTPS      Initiated Connection      https      192.168.100.12            Internal      External      -      -
192.168.100.12                        ISASERV      -            TCP      -                        Yes            -                        3/28/2007 2:39:29 PM      49428      69000      152      0      0xc0040038 FWX_E_TCP_NO_SERVER_REPLY            0x0      0x0      Firewall      -      3/28/2007 10:39:29 AM      198.97.73.33      443      HTTPS      Closed Connection      https      192.168.100.12            Internal      External      -      -
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1000 total points
ID: 18811329
I doubt that you have posted the full log here.  that said, the reason you cannot connect is that the destination server is reporting that the number of connections it is allowed to make simultaneously has been exceeded.

This can be corrected in a number of ways in ISa, predominantly by extending the http timeout parameters but this position is 'queered' a little by the fact that you can repeat the symptoms when connected on the outside of ISA also.
What device do you have between ISA and your internet connection?
Does it have syslog capabilities?

Keith
ISA MCT
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18812754
This is the full log with the filter added for the site. The only device between the ISA server and the internet is a switch and the T-1 router. YEs it has syslog capabilities.
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18812762
Keith, I doubled the time out, 5000ms to 10000ms and I got in. Not sure why it worked but it did.  Thanks
David
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18813949
Welcome :)
0

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question