Solved

give access https access through isa 2006

Posted on 2007-11-21
12
5,594 Views
Last Modified: 2011-08-18
how can i allow access to https sites through isa 2006
0
Comment
Question by:acaassurance
  • 7
  • 5
12 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330292
Open the gui - select firewall policy
right-click firewall policy - select new - access rule
select the https protocol rather than all protocols - select internal & local host in the from box and external in the to boxs - select all users. Move this rule to the top.
Apply policy - job done.
0
 

Author Comment

by:acaassurance
ID: 20339724
I have tried that solution before and again as well.....
Still getting the same error message:
Error Code: 502 Proxy Error.  The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: ip_address_of_isa_server
Date: todays_date_&_time
Server: server_name
Source: proxy

ISA is currently running on virtual server 2007.  I can get to ALL HTTP sites through ISA so far except https.  I have also tried using the ISAtpre tool to add HTTPS ports.  Let me know how I can move forward on this.

thanks,
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20340097
One question - are you surwe that the https call is actually going out on port 443? If not, ISA will block the request.

Can you paste the line from the ISA log?

Open the ISA gui, select monitoring - logging - click start query to start the realtime log.
Make the connection from a client - what do you see in the log display?
What rule is doing the deny? The default rule?

Look at the log line - does it show port 443 or a different port number for the https traffic?

0
 

Author Comment

by:acaassurance
ID: 20349649
It is not going through the standard https port of 443 it is going through port 4402.  That is why I added that port using the ISAtpre tool.  That port is now allowed through along w/443.  Below is the output from the monitoring log:

Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Authentication Server      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
0.0.0.0      Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1)      Yes      Proxy      IT-ISA            real.sysfx.com      TCP            Internet      -      -            -      Req ID: 0700f041; Compression: client=No, server=No, compress rate=0% decompress rate=0%      -      -      -      11/26/2007 1:18:26 PM      0      0      924      0            12202 The ISA Server denied the specified Uniform Resource Locator (URL).       0x0      0x800      Web Proxy Filter            11/26/2007 8:18:26 AM      10.1.2.100      4402      SSL-tunnel      Denied Connection      Default rule      10.1.2.249      anonymous      Internal      Sysfx            real.sysfx.com:4402

According to the output it is being denied by the default rule, but that rule can not be edited.  Looking forward to your reply.

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20351908
Hmmm - according to that log output the pre vbs script hasn't been successful.
How did you run the pre script?
0
 

Author Comment

by:acaassurance
ID: 20352290
I didnt run any script, didn't know know there were a script that I had to run.  Let me know what script you are talking about.  I don't see in the log file where it states anything about a scrpt file...
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
ID: 20352577
<<<That is why I added that port using the ISAtpre tool.  That port is now allowed through along w/443.  Below is the output from the monitoring log:>>>

You didn't mention that in your first post which is why I checked what port the ssl was going out on. ISAtpre is a vbscript where by you enter in the starting port number and the finishing port number when it runs. That port range is added to 443 for allowed outbound ssl ports that https can use.

Personally I always use this option from Jim Harrison. I use the ISA tunnel port range rather than the tpre as i find it much more reliable. I have had funnies with the tpre.
http://www.isatools.org/tools.asp?Context=ISA2004

I know you are running ISA2006 but this utility works on all vetrsions.

Keith
0
 

Author Comment

by:acaassurance
ID: 20377136
OK I will try this, can you tell my why I can RDP to the ISA Server or use the ISA Management tool (I keep getting the following error: RPC Server unavailble).  This implementation has been a total disaster.  I have opened up both ports and only using 1 NIC for my RDP access.

Thanks,
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20377396
Did you mean 'can't' ....?

No offence but ISA is quite a specialised product. Open the ISA GUI,
right-click the firewall policy in the left pane and edit the System Policy.
Edit the options for allowing terminal services and make sure internal to lodcal host and vice versa is enbabled.
Do the same for the MMC remote management function.
0
 

Author Comment

by:acaassurance
ID: 20442056
Keith,
I used the ISA Tunnel Port tool that you suggested and still the same result.  I am reinstalling ISA 2006 and will allow EVERYTHING outbound and maually block site and ports.
0
 

Author Comment

by:acaassurance
ID: 20449445
Keith,
After multiple trys on the ISA Tunnel Port tool it finally worked.

Thank you,

unfortunately RDP and trying to use the Management console of ISA on another machine is still not working.  I have allowed Remote Management Computer to be allowed to do both but it still is not working, let me know if you have any other ideas.

Thanks again,
0
 

Author Closing Comment

by:acaassurance
ID: 31410371
After trying it multiple times it finally worked.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now