Solved

HTTPS access through ISA 2006

Posted on 2007-03-28
10
6,850 Views
Last Modified: 2011-08-18
We are running Windows 2003 domain with Exchange 2003, SharePoint 2003, SQL 2005, And ISA 2006 std. One of our clients has a https:// site we need to access and we can not. It times out. I have added rules in ISA to allow access to the site and all https sites. (which we can access all except this one) with no luck. Whem I access it from home on my company laptop it works fine. Can ISA be blocking the certs issued by the site? If so how do I change it? Any other input would be helpful.
DLW
0
Comment
Question by:dwarren0940
  • 5
  • 3
  • 2
10 Comments
 
LVL 4

Expert Comment

by:jasonwilliams74
Comment Utility
I am assuming this is outside your internal network?
Are you using the Firewall client at all? Are you using ISA as a Proxy?

Have you turned up the logging, looking for requests JUST for that website to narrow down what is causing the problem? Customize the filter and filter for that website specifically and look to see what is going on with the connections.

Unlikely that ISA is blocking certs. If that were the case, it would block all certs from other HTTPS sites.

What happens when you do a 'nslookup <domain>' on a few machines on your network? Does it resolve.

Lets see if we can get this cleared up for you.

-Jason
0
 
LVL 2

Author Comment

by:dwarren0940
Comment Utility
Yes we are using firewall client and proxy. But i took one machine off the domain killed all firewalls and bypassed the switch that had ISA on it and hook direct to the external router.(The external is the one ISA uses though) and still timed out. I will get the log files and post them.
David
0
 
LVL 4

Expert Comment

by:jasonwilliams74
Comment Utility
So the computer you plugged  directly into the router timed out accessing that specific website?

Could it access other websites?
0
 
LVL 2

Author Comment

by:dwarren0940
Comment Utility
Yes, this is a gov site. I could access the one https but not he one I needed.
0
 
LVL 4

Expert Comment

by:jasonwilliams74
Comment Utility
Interesting. If you can't access it from outside the ISA Firewall, but can access everything else...

Did you clear your dns cache by chance? Just something else to do.

I just find it very interesting that you can not even access this website when plugged directly into your router, BUT, you can get every where else...

0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Author Comment

by:dwarren0940
Comment Utility
Very furstrating. I took a laptop home and logged in fine from home. Opened a VPN into our network while in the site and lost the connection and could not get it back. Talked to their IT people and they say we are not even hitting them. But I show their IP in sniffer so we must be hitting the site. Here is the ISA log.
Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
192.168.100.12                        ISASERV      -            TCP      -                        Yes            -                        3/28/2007 2:38:20 PM      49428      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -      3/28/2007 10:38:20 AM      198.97.73.33      443      HTTPS      Initiated Connection      https      192.168.100.12            Internal      External      -      -
192.168.100.12                        ISASERV      -            TCP      -                        Yes            -                        3/28/2007 2:39:29 PM      49428      69000      152      0      0xc0040038 FWX_E_TCP_NO_SERVER_REPLY            0x0      0x0      Firewall      -      3/28/2007 10:39:29 AM      198.97.73.33      443      HTTPS      Closed Connection      https      192.168.100.12            Internal      External      -      -
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
Comment Utility
I doubt that you have posted the full log here.  that said, the reason you cannot connect is that the destination server is reporting that the number of connections it is allowed to make simultaneously has been exceeded.

This can be corrected in a number of ways in ISa, predominantly by extending the http timeout parameters but this position is 'queered' a little by the fact that you can repeat the symptoms when connected on the outside of ISA also.
What device do you have between ISA and your internet connection?
Does it have syslog capabilities?

Keith
ISA MCT
0
 
LVL 2

Author Comment

by:dwarren0940
Comment Utility
This is the full log with the filter added for the site. The only device between the ISA server and the internet is a switch and the T-1 router. YEs it has syslog capabilities.
0
 
LVL 2

Author Comment

by:dwarren0940
Comment Utility
Keith, I doubled the time out, 5000ms to 10000ms and I got in. Not sure why it worked but it did.  Thanks
David
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Welcome :)
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now