Solved

give access https access through isa 2006

Posted on 2007-11-21
12
5,606 Views
Last Modified: 2011-08-18
how can i allow access to https sites through isa 2006
0
Comment
Question by:acaassurance
  • 7
  • 5
12 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330292
Open the gui - select firewall policy
right-click firewall policy - select new - access rule
select the https protocol rather than all protocols - select internal & local host in the from box and external in the to boxs - select all users. Move this rule to the top.
Apply policy - job done.
0
 

Author Comment

by:acaassurance
ID: 20339724
I have tried that solution before and again as well.....
Still getting the same error message:
Error Code: 502 Proxy Error.  The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: ip_address_of_isa_server
Date: todays_date_&_time
Server: server_name
Source: proxy

ISA is currently running on virtual server 2007.  I can get to ALL HTTP sites through ISA so far except https.  I have also tried using the ISAtpre tool to add HTTPS ports.  Let me know how I can move forward on this.

thanks,
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20340097
One question - are you surwe that the https call is actually going out on port 443? If not, ISA will block the request.

Can you paste the line from the ISA log?

Open the ISA gui, select monitoring - logging - click start query to start the realtime log.
Make the connection from a client - what do you see in the log display?
What rule is doing the deny? The default rule?

Look at the log line - does it show port 443 or a different port number for the https traffic?

0
 

Author Comment

by:acaassurance
ID: 20349649
It is not going through the standard https port of 443 it is going through port 4402.  That is why I added that port using the ISAtpre tool.  That port is now allowed through along w/443.  Below is the output from the monitoring log:

Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
0.0.0.0      Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)      Yes      Proxy      IT-ISA            real.sysfx.com      TCP            Internet      -      -            -      Req ID: 0700f041; Compression: client=No, server=No, compress rate=0% decompress rate=0%      -      -      -      11/26/2007 1:18:26 PM      0      0      924      0            12202 The ISA Server denied the specified Uniform Resource Locator (URL).       0x0      0x800      Web Proxy Filter            11/26/2007 8:18:26 AM      10.1.2.100      4402      SSL-tunnel      Denied Connection      Default rule      10.1.2.249      anonymous      Internal      Sysfx            real.sysfx.com:4402

According to the output it is being denied by the default rule, but that rule can not be edited.  Looking forward to your reply.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20351908
Hmmm - according to that log output the pre vbs script hasn't been successful.
How did you run the pre script?
0
 

Author Comment

by:acaassurance
ID: 20352290
I didnt run any script, didn't know know there were a script that I had to run.  Let me know what script you are talking about.  I don't see in the log file where it states anything about a scrpt file...
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
ID: 20352577
<<<That is why I added that port using the ISAtpre tool.  That port is now allowed through along w/443.  Below is the output from the monitoring log:>>>

You didn't mention that in your first post which is why I checked what port the ssl was going out on. ISAtpre is a vbscript where by you enter in the starting port number and the finishing port number when it runs. That port range is added to 443 for allowed outbound ssl ports that https can use.

Personally I always use this option from Jim Harrison. I use the ISA tunnel port range rather than the tpre as i find it much more reliable. I have had funnies with the tpre.
http://www.isatools.org/tools.asp?Context=ISA2004

I know you are running ISA2006 but this utility works on all vetrsions.

Keith
0
 

Author Comment

by:acaassurance
ID: 20377136
OK I will try this, can you tell my why I can RDP to the ISA Server or use the ISA Management tool (I keep getting the following error: RPC Server unavailble).  This implementation has been a total disaster.  I have opened up both ports and only using 1 NIC for my RDP access.

Thanks,
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20377396
Did you mean 'can't' ....?

No offence but ISA is quite a specialised product. Open the ISA GUI,
right-click the firewall policy in the left pane and edit the System Policy.
Edit the options for allowing terminal services and make sure internal to lodcal host and vice versa is enbabled.
Do the same for the MMC remote management function.
0
 

Author Comment

by:acaassurance
ID: 20442056
Keith,
I used the ISA Tunnel Port tool that you suggested and still the same result.  I am reinstalling ISA 2006 and will allow EVERYTHING outbound and maually block site and ports.
0
 

Author Comment

by:acaassurance
ID: 20449445
Keith,
After multiple trys on the ISA Tunnel Port tool it finally worked.

Thank you,

unfortunately RDP and trying to use the Management console of ISA on another machine is still not working.  I have allowed Remote Management Computer to be allowed to do both but it still is not working, let me know if you have any other ideas.

Thanks again,
0
 

Author Closing Comment

by:acaassurance
ID: 31410371
After trying it multiple times it finally worked.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now