Solved

HTTPS access through ISA 2006

Posted on 2007-03-28
10
6,854 Views
Last Modified: 2011-08-18
We are running Windows 2003 domain with Exchange 2003, SharePoint 2003, SQL 2005, And ISA 2006 std. One of our clients has a https:// site we need to access and we can not. It times out. I have added rules in ISA to allow access to the site and all https sites. (which we can access all except this one) with no luck. Whem I access it from home on my company laptop it works fine. Can ISA be blocking the certs issued by the site? If so how do I change it? Any other input would be helpful.
DLW
0
Comment
Question by:dwarren0940
  • 5
  • 3
  • 2
10 Comments
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808180
I am assuming this is outside your internal network?
Are you using the Firewall client at all? Are you using ISA as a Proxy?

Have you turned up the logging, looking for requests JUST for that website to narrow down what is causing the problem? Customize the filter and filter for that website specifically and look to see what is going on with the connections.

Unlikely that ISA is blocking certs. If that were the case, it would block all certs from other HTTPS sites.

What happens when you do a 'nslookup <domain>' on a few machines on your network? Does it resolve.

Lets see if we can get this cleared up for you.

-Jason
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18808249
Yes we are using firewall client and proxy. But i took one machine off the domain killed all firewalls and bypassed the switch that had ISA on it and hook direct to the external router.(The external is the one ISA uses though) and still timed out. I will get the log files and post them.
David
0
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808258
So the computer you plugged  directly into the router timed out accessing that specific website?

Could it access other websites?
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18808374
Yes, this is a gov site. I could access the one https but not he one I needed.
0
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808428
Interesting. If you can't access it from outside the ISA Firewall, but can access everything else...

Did you clear your dns cache by chance? Just something else to do.

I just find it very interesting that you can not even access this website when plugged directly into your router, BUT, you can get every where else...

0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 2

Author Comment

by:dwarren0940
ID: 18808516
Very furstrating. I took a laptop home and logged in fine from home. Opened a VPN into our network while in the site and lost the connection and could not get it back. Talked to their IT people and they say we are not even hitting them. But I show their IP in sniffer so we must be hitting the site. Here is the ISA log.
Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
192.168.100.12                        ISASERV      -            TCP      -                        Yes            -                        3/28/2007 2:38:20 PM      49428      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -      3/28/2007 10:38:20 AM      198.97.73.33      443      HTTPS      Initiated Connection      https      192.168.100.12            Internal      External      -      -
192.168.100.12                        ISASERV      -            TCP      -                        Yes            -                        3/28/2007 2:39:29 PM      49428      69000      152      0      0xc0040038 FWX_E_TCP_NO_SERVER_REPLY            0x0      0x0      Firewall      -      3/28/2007 10:39:29 AM      198.97.73.33      443      HTTPS      Closed Connection      https      192.168.100.12            Internal      External      -      -
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 18811329
I doubt that you have posted the full log here.  that said, the reason you cannot connect is that the destination server is reporting that the number of connections it is allowed to make simultaneously has been exceeded.

This can be corrected in a number of ways in ISa, predominantly by extending the http timeout parameters but this position is 'queered' a little by the fact that you can repeat the symptoms when connected on the outside of ISA also.
What device do you have between ISA and your internet connection?
Does it have syslog capabilities?

Keith
ISA MCT
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18812754
This is the full log with the filter added for the site. The only device between the ISA server and the internet is a switch and the T-1 router. YEs it has syslog capabilities.
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18812762
Keith, I doubled the time out, 5000ms to 10000ms and I got in. Not sure why it worked but it did.  Thanks
David
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18813949
Welcome :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Firewall attack 16 152
Is my Machine open to hackers 3 91
Scan IP address, obtain info 7 84
DirectAccess only works one way 3 68
I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now