?
Solved

give access https access through isa 2006

Posted on 2007-11-21
12
Medium Priority
?
5,648 Views
Last Modified: 2011-08-18
how can i allow access to https sites through isa 2006
0
Comment
Question by:acaassurance
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330292
Open the gui - select firewall policy
right-click firewall policy - select new - access rule
select the https protocol rather than all protocols - select internal & local host in the from box and external in the to boxs - select all users. Move this rule to the top.
Apply policy - job done.
0
 

Author Comment

by:acaassurance
ID: 20339724
I have tried that solution before and again as well.....
Still getting the same error message:
Error Code: 502 Proxy Error.  The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: ip_address_of_isa_server
Date: todays_date_&_time
Server: server_name
Source: proxy

ISA is currently running on virtual server 2007.  I can get to ALL HTTP sites through ISA so far except https.  I have also tried using the ISAtpre tool to add HTTPS ports.  Let me know how I can move forward on this.

thanks,
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20340097
One question - are you surwe that the https call is actually going out on port 443? If not, ISA will block the request.

Can you paste the line from the ISA log?

Open the ISA gui, select monitoring - logging - click start query to start the realtime log.
Make the connection from a client - what do you see in the log display?
What rule is doing the deny? The default rule?

Look at the log line - does it show port 443 or a different port number for the https traffic?

0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 

Author Comment

by:acaassurance
ID: 20349649
It is not going through the standard https port of 443 it is going through port 4402.  That is why I added that port using the ISAtpre tool.  That port is now allowed through along w/443.  Below is the output from the monitoring log:

Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
0.0.0.0      Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)      Yes      Proxy      IT-ISA            real.sysfx.com      TCP            Internet      -      -            -      Req ID: 0700f041; Compression: client=No, server=No, compress rate=0% decompress rate=0%      -      -      -      11/26/2007 1:18:26 PM      0      0      924      0            12202 The ISA Server denied the specified Uniform Resource Locator (URL).       0x0      0x800      Web Proxy Filter            11/26/2007 8:18:26 AM      10.1.2.100      4402      SSL-tunnel      Denied Connection      Default rule      10.1.2.249      anonymous      Internal      Sysfx            real.sysfx.com:4402

According to the output it is being denied by the default rule, but that rule can not be edited.  Looking forward to your reply.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20351908
Hmmm - according to that log output the pre vbs script hasn't been successful.
How did you run the pre script?
0
 

Author Comment

by:acaassurance
ID: 20352290
I didnt run any script, didn't know know there were a script that I had to run.  Let me know what script you are talking about.  I don't see in the log file where it states anything about a scrpt file...
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 20352577
<<<That is why I added that port using the ISAtpre tool.  That port is now allowed through along w/443.  Below is the output from the monitoring log:>>>

You didn't mention that in your first post which is why I checked what port the ssl was going out on. ISAtpre is a vbscript where by you enter in the starting port number and the finishing port number when it runs. That port range is added to 443 for allowed outbound ssl ports that https can use.

Personally I always use this option from Jim Harrison. I use the ISA tunnel port range rather than the tpre as i find it much more reliable. I have had funnies with the tpre.
http://www.isatools.org/tools.asp?Context=ISA2004

I know you are running ISA2006 but this utility works on all vetrsions.

Keith
0
 

Author Comment

by:acaassurance
ID: 20377136
OK I will try this, can you tell my why I can RDP to the ISA Server or use the ISA Management tool (I keep getting the following error: RPC Server unavailble).  This implementation has been a total disaster.  I have opened up both ports and only using 1 NIC for my RDP access.

Thanks,
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20377396
Did you mean 'can't' ....?

No offence but ISA is quite a specialised product. Open the ISA GUI,
right-click the firewall policy in the left pane and edit the System Policy.
Edit the options for allowing terminal services and make sure internal to lodcal host and vice versa is enbabled.
Do the same for the MMC remote management function.
0
 

Author Comment

by:acaassurance
ID: 20442056
Keith,
I used the ISA Tunnel Port tool that you suggested and still the same result.  I am reinstalling ISA 2006 and will allow EVERYTHING outbound and maually block site and ports.
0
 

Author Comment

by:acaassurance
ID: 20449445
Keith,
After multiple trys on the ISA Tunnel Port tool it finally worked.

Thank you,

unfortunately RDP and trying to use the Management console of ISA on another machine is still not working.  I have allowed Remote Management Computer to be allowed to do both but it still is not working, let me know if you have any other ideas.

Thanks again,
0
 

Author Closing Comment

by:acaassurance
ID: 31410371
After trying it multiple times it finally worked.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
An article on effective troubleshooting
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question