Solved

HTTPS access through ISA 2006

Posted on 2007-03-28
10
6,868 Views
Last Modified: 2011-08-18
We are running Windows 2003 domain with Exchange 2003, SharePoint 2003, SQL 2005, And ISA 2006 std. One of our clients has a https:// site we need to access and we can not. It times out. I have added rules in ISA to allow access to the site and all https sites. (which we can access all except this one) with no luck. Whem I access it from home on my company laptop it works fine. Can ISA be blocking the certs issued by the site? If so how do I change it? Any other input would be helpful.
DLW
0
Comment
Question by:dwarren0940
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808180
I am assuming this is outside your internal network?
Are you using the Firewall client at all? Are you using ISA as a Proxy?

Have you turned up the logging, looking for requests JUST for that website to narrow down what is causing the problem? Customize the filter and filter for that website specifically and look to see what is going on with the connections.

Unlikely that ISA is blocking certs. If that were the case, it would block all certs from other HTTPS sites.

What happens when you do a 'nslookup <domain>' on a few machines on your network? Does it resolve.

Lets see if we can get this cleared up for you.

-Jason
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18808249
Yes we are using firewall client and proxy. But i took one machine off the domain killed all firewalls and bypassed the switch that had ISA on it and hook direct to the external router.(The external is the one ISA uses though) and still timed out. I will get the log files and post them.
David
0
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808258
So the computer you plugged  directly into the router timed out accessing that specific website?

Could it access other websites?
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 2

Author Comment

by:dwarren0940
ID: 18808374
Yes, this is a gov site. I could access the one https but not he one I needed.
0
 
LVL 4

Expert Comment

by:jasonwilliams74
ID: 18808428
Interesting. If you can't access it from outside the ISA Firewall, but can access everything else...

Did you clear your dns cache by chance? Just something else to do.

I just find it very interesting that you can not even access this website when plugged directly into your router, BUT, you can get every where else...

0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18808516
Very furstrating. I took a laptop home and logged in fine from home. Opened a VPN into our network while in the site and lost the connection and could not get it back. Talked to their IT people and they say we are not even hitting them. But I show their IP in sniffer so we must be hitting the site. Here is the ISA log.
Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
192.168.100.12                        ISASERV      -            TCP      -                        Yes            -                        3/28/2007 2:38:20 PM      49428      0      0      0      0x0 ERROR_SUCCESS            0x0      0x0      Firewall      -      3/28/2007 10:38:20 AM      198.97.73.33      443      HTTPS      Initiated Connection      https      192.168.100.12            Internal      External      -      -
192.168.100.12                        ISASERV      -            TCP      -                        Yes            -                        3/28/2007 2:39:29 PM      49428      69000      152      0      0xc0040038 FWX_E_TCP_NO_SERVER_REPLY            0x0      0x0      Firewall      -      3/28/2007 10:39:29 AM      198.97.73.33      443      HTTPS      Closed Connection      https      192.168.100.12            Internal      External      -      -
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 18811329
I doubt that you have posted the full log here.  that said, the reason you cannot connect is that the destination server is reporting that the number of connections it is allowed to make simultaneously has been exceeded.

This can be corrected in a number of ways in ISa, predominantly by extending the http timeout parameters but this position is 'queered' a little by the fact that you can repeat the symptoms when connected on the outside of ISA also.
What device do you have between ISA and your internet connection?
Does it have syslog capabilities?

Keith
ISA MCT
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18812754
This is the full log with the filter added for the site. The only device between the ISA server and the internet is a switch and the T-1 router. YEs it has syslog capabilities.
0
 
LVL 2

Author Comment

by:dwarren0940
ID: 18812762
Keith, I doubled the time out, 5000ms to 10000ms and I got in. Not sure why it worked but it did.  Thanks
David
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18813949
Welcome :)
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ip address(es) of current connection? 27 80
Windows Service to Receive TCP Packets 4 197
Windows Server Firewall Configuration 2 77
Undo a Print Server Setup 5 95
Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question