[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 831
  • Last Modified:

HTTPS through VPN

How do I allow VPN clients into ISA 2004 to access HTTPS sites?  When my VPN users come into our network on our ISA 2004 firewall, they can hit HTTP web sites but not HTTPS.  For instance, If I'm VPN'd in to my network and go to my bank's web site, there's no problem hitting the home page.  But, when I go to log in, I get a Page Cannot be Displayed error.  This holds true for any https login on any site.
0
cjb123
Asked:
cjb123
  • 19
  • 10
1 Solution
 
2PiFLCommented:
you need to enable port 443.  Here is a good resource - what you're looking for starts on page 136.
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_configguide-Rev%201%2003.doc#chapter11
0
 
Keith AlabasterCommented:
what protocols have you assigned to firewall policy FROM vpn clients TO internal?
0
 
cjb123Author Commented:
The protocols is set to All Outbound Traffic.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Keith AlabasterCommented:
and what do you have from internal to vpn clients?

Does both ends have a route to the other end?
0
 
cjb123Author Commented:
I don't have a rule for Internal to VPN clients?
0
 
cjb123Author Commented:
What kind of rule would I need, an access rule from Internal VPN clients?
0
 
Keith AlabasterCommented:
yes, traffic can flow either direction and it is an access rule required here
0
 
cjb123Author Commented:
Which protocols to I use for this rule.  i tried just applying HTTP and HTTPS as well as All Outbound Traffic and neither configuration works.  I still can't hit HTTPS sites.
0
 
Keith AlabasterCommented:
So what are you seeing in the log when the attempt is made?

ISA gui - monitoring - logging - start query
Now try the access from the client.
0
 
cjb123Author Commented:
Destination IP - is the location that I'm at
Destination Port - 443
Protocol - HTTPS
Action - Initiated
              Failed
              Closed
Rule - Internal to External
Source Network - VPN Clients
0
 
cjb123Author Commented:
Should I take the HTTPS rule out of the Internal to External rule and put it in the Internal to VPN rule?
0
 
cjb123Author Commented:
Nevermind, I just tried it and it didn't work
0
 
cjb123Author Commented:
I know its been a while, but we're still experiencing the same problem...  

However, I just had the inspiration to telnet to port 443 of gmail.com (which is an HTTPS site), and it appeared that a connection has been made.

any ideas?
0
 
Keith AlabasterCommented:
As per my previous post, i still need to see what is in your log

*** So what are you seeing in the log when the attempt is made?

ISA gui - monitoring - logging - start query
Now try the access from the client.***

Please copy & paste the proper output.
0
 
cjb123Author Commented:
keith... i copied the data out and made it a CSV.. here is the TXT output...

==============================================================

Original Client IP,Client Agent,Authenticated Client,Service,Server Name,Referring Server,Destination Host Name,Transport,MIME Type,Object Source,Source Proxy,Destination Proxy,Bidirectional,Client Host Name,Filter Information,Network Interface,Raw IP Header,Raw Payload,Source Port,Processing Time,Bytes Sent,Bytes Received,Result Code,HTTP Status Code,Cache Information,Error Information,Log Record Type,Log Time,Destination IP,Destination Port,Protocol,Action,Rule,Client IP,Client Username,Source Network,Destination Network,HTTP Method,URL
192.168.5.106,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,3926,0,0,0,0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED,,0x0,0x0,Firewall,2/4/2008 11:27,64.233.167.147,443,HTTPS,Denied Connection,,192.168.5.106,,VPN Clients,External,-,-
192.168.5.106,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,3926,0,0,0,0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED,,0x0,0x0,Firewall,2/4/2008 11:27,64.233.167.147,443,HTTPS,Denied Connection,,192.168.5.106,,VPN Clients,External,-,-


===============================================================

let me know if you need any more info
0
 
cjb123Author Commented:
here is more info....

========================================================


Original Client IP,Client Agent,Authenticated Client,Service,Server Name,Referring Server,Destination Host Name,Transport,MIME Type,Object Source,Source Proxy,Destination Proxy,Bidirectional,Client Host Name,Filter Information,Network Interface,Raw IP Header,Raw Payload,Source Port,Processing Time,Bytes Sent,Bytes Received,Result Code,HTTP Status Code,Cache Information,Error Information,Log Record Type,Log Time,Destination IP,Destination Port,Protocol,Action,Rule,Client IP,Client Username,Source Network,Destination Network,HTTP Method,URL
192.168.5.104,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,2835,0,0,0,0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED,,0x0,0x0,Firewall,2/4/2008 11:37,64.233.171.83,443,HTTPS,Denied Connection,,192.168.5.104,,VPN Clients,External,-,-
192.168.5.104,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,2835,50,0,2157,0x80074e24 ,,0x0,0x0,Firewall,2/4/2008 11:37,64.233.171.83,443,HTTPS,Closed Connection,Internal to External,192.168.5.104,cjb,VPN Clients,External,-,-
192.168.5.104,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,2835,0,0,0,0x0 ,,0x0,0x0,Firewall,2/4/2008 11:37,64.233.171.83,443,HTTPS,Initiated Connection,Internal to External,192.168.5.104,cjb,VPN Clients,External,-,-

========================================================
0
 
Keith AlabasterCommented:
Looks like a scvrew up with the LAT tables. ISA is seeing traffic arriving on the wrong interface.

Open the guii, select configuration - networks - internal - properties - addresses. What are the addresses listed here? Does it include ALL of your internal addresses? Are the addresses used on the VPN also listed?
0
 
cjb123Author Commented:
My networks don't overlap at all.  I'm still not able to connect to a https site via VPN.  I'm able to hit https sites that are on my LAN, just not external websites.  Here's the way the rule is set up:

Rule Name: VPN Out
Action: Allow
Protocols: FTP, HTTP, HTTPS, IPSec ESP, IPSec NAT-T Client, L2TP Client, PPTP, SSH
From/Listener: VPN Clients
To: External, Internal, Anywhere
Condition: All Users
0
 
Keith AlabasterCommented:
Hmmmm - rule looks OK

dns on a vpn client is resolving the external IP ok?  ie on the vpn client machine, nslookup external_web_site_name gives the external IP OK?
External http sites work fine though don't they.... Its just https that has issues?

0
 
cjb123Author Commented:
This is correct.  Regular http out to external sites work fine, it's just the https sites that we're having issues with.  I.E. if we go to a banking site, the home page comes up but as soon as you go to login, we get a page cannot be displayed.  As for DNS, we even have static routes listed in the etc hosts file.
0
 
Keith AlabasterCommented:
Crikey - i am trying really hard to reproduce this but cannot so far.
When you go to the banking site is that initially an http site that changes to https as you hit the logon box? Or was it https already but then failed when you tried to login?
0
 
cjb123Author Commented:
When I go to the banking site, it's a regular http site.  Once I hit the log in box, it forwards to a https site.  This is where I have problems.  Going through the firewall from the LAN, there's no problems.  This only occurs while on VPN.
0
 
cjb123Author Commented:
Okay.. weird thing... if i try to

telnet www.google.com 443

FROM VPN I can't get connected at all anymore - I honestly don't know how I was able to do so before..

As stated before, from VPN, everything appears to work fine, except that HTTPS on port 443 is the only thing that appears not to work
0
 
cjb123Author Commented:
And just to add a little more confusion, HTTPS works when we try to connect to an internal server on our LAN via VPN
0
 
cjb123Author Commented:
Here's a CSV of what i've been able to monitor.. apparently its no longer blocking the connection, its initializing the connection..

==============================================

Original Client IP,Client Agent,Authenticated Client,Service,Server Name,Referring Server,Destination Host Name,Transport,MIME Type,Object Source,Source Proxy,Destination Proxy,Bidirectional,Client Host Name,Filter Information,Network Interface,Raw IP Header,Raw Payload,Source Port,Processing Time,Bytes Sent,Bytes Received,Result Code,HTTP Status Code,Cache Information,Error Information,Log Record Type,Log Time,Destination IP,Destination Port,Protocol,Action,Rule,Client IP,Client Username,Source Network,Destination Network,HTTP Method,URL
192.168.5.105,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,3539,0,0,0,0x0 ,,0x0,0x0,Firewall,2/13/2008 12:50,64.233.167.147,443,HTTPS,Initiated Connection,VPN Out,192.168.5.105,,VPN Clients,External,-,-
192.168.5.105,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,3550,0,0,0,0x0 ,,0x0,0x0,Firewall,2/13/2008 12:51,64.233.167.99,443,HTTPS,Initiated Connection,VPN Out,192.168.5.105,,VPN Clients,External,-,-
192.168.5.105,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,3551,0,0,0,0x0 ,,0x0,0x0,Firewall,2/13/2008 12:51,64.233.167.147,443,HTTPS,Initiated Connection,VPN Out,192.168.5.105,,VPN Clients,External,-,-

==============================================
0
 
cjb123Author Commented:
hey Keith.. calling msft today - will post the problem resolution on here whenever we get this thing fixed

thanks again for your help
0
 
Keith AlabasterCommented:
Good call I think - I have not been able to give the time/effort I normally would (work pressures) so this is likely your most expedient approach - sorry :(
0
 
cjb123Author Commented:
Hey Keith.. all we had to do was configure the proxy..
0
 
Keith AlabasterCommented:
Oh God..... Sometimes the simple things are the least obvious. Really sorry but well done :(
0
 
cjb123Author Commented:
I agree!  Thanks again keith
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 19
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now