Solved

HTTPS through VPN

Posted on 2007-12-05
30
766 Views
Last Modified: 2010-05-18
How do I allow VPN clients into ISA 2004 to access HTTPS sites?  When my VPN users come into our network on our ISA 2004 firewall, they can hit HTTP web sites but not HTTPS.  For instance, If I'm VPN'd in to my network and go to my bank's web site, there's no problem hitting the home page.  But, when I go to log in, I get a Page Cannot be Displayed error.  This holds true for any https login on any site.
0
Comment
Question by:cjb123
  • 19
  • 10
30 Comments
 
LVL 16

Expert Comment

by:2PiFL
ID: 20413915
you need to enable port 443.  Here is a good resource - what you're looking for starts on page 136.
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_configguide-Rev%201%2003.doc#chapter11
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20414287
what protocols have you assigned to firewall policy FROM vpn clients TO internal?
0
 

Author Comment

by:cjb123
ID: 20415742
The protocols is set to All Outbound Traffic.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20415754
and what do you have from internal to vpn clients?

Does both ends have a route to the other end?
0
 

Author Comment

by:cjb123
ID: 20415958
I don't have a rule for Internal to VPN clients?
0
 

Author Comment

by:cjb123
ID: 20415961
What kind of rule would I need, an access rule from Internal VPN clients?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20417772
yes, traffic can flow either direction and it is an access rule required here
0
 

Author Comment

by:cjb123
ID: 20420593
Which protocols to I use for this rule.  i tried just applying HTTP and HTTPS as well as All Outbound Traffic and neither configuration works.  I still can't hit HTTPS sites.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20421785
So what are you seeing in the log when the attempt is made?

ISA gui - monitoring - logging - start query
Now try the access from the client.
0
 

Author Comment

by:cjb123
ID: 20423247
Destination IP - is the location that I'm at
Destination Port - 443
Protocol - HTTPS
Action - Initiated
              Failed
              Closed
Rule - Internal to External
Source Network - VPN Clients
0
 

Author Comment

by:cjb123
ID: 20423283
Should I take the HTTPS rule out of the Internal to External rule and put it in the Internal to VPN rule?
0
 

Author Comment

by:cjb123
ID: 20423314
Nevermind, I just tried it and it didn't work
0
 

Author Comment

by:cjb123
ID: 20748337
I know its been a while, but we're still experiencing the same problem...  

However, I just had the inspiration to telnet to port 443 of gmail.com (which is an HTTPS site), and it appeared that a connection has been made.

any ideas?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20749078
As per my previous post, i still need to see what is in your log

*** So what are you seeing in the log when the attempt is made?

ISA gui - monitoring - logging - start query
Now try the access from the client.***

Please copy & paste the proper output.
0
 

Author Comment

by:cjb123
ID: 20815764
keith... i copied the data out and made it a CSV.. here is the TXT output...

==============================================================

Original Client IP,Client Agent,Authenticated Client,Service,Server Name,Referring Server,Destination Host Name,Transport,MIME Type,Object Source,Source Proxy,Destination Proxy,Bidirectional,Client Host Name,Filter Information,Network Interface,Raw IP Header,Raw Payload,Source Port,Processing Time,Bytes Sent,Bytes Received,Result Code,HTTP Status Code,Cache Information,Error Information,Log Record Type,Log Time,Destination IP,Destination Port,Protocol,Action,Rule,Client IP,Client Username,Source Network,Destination Network,HTTP Method,URL
192.168.5.106,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,3926,0,0,0,0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED,,0x0,0x0,Firewall,2/4/2008 11:27,64.233.167.147,443,HTTPS,Denied Connection,,192.168.5.106,,VPN Clients,External,-,-
192.168.5.106,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,3926,0,0,0,0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED,,0x0,0x0,Firewall,2/4/2008 11:27,64.233.167.147,443,HTTPS,Denied Connection,,192.168.5.106,,VPN Clients,External,-,-


===============================================================

let me know if you need any more info
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:cjb123
ID: 20815841
here is more info....

========================================================


Original Client IP,Client Agent,Authenticated Client,Service,Server Name,Referring Server,Destination Host Name,Transport,MIME Type,Object Source,Source Proxy,Destination Proxy,Bidirectional,Client Host Name,Filter Information,Network Interface,Raw IP Header,Raw Payload,Source Port,Processing Time,Bytes Sent,Bytes Received,Result Code,HTTP Status Code,Cache Information,Error Information,Log Record Type,Log Time,Destination IP,Destination Port,Protocol,Action,Rule,Client IP,Client Username,Source Network,Destination Network,HTTP Method,URL
192.168.5.104,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,2835,0,0,0,0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED,,0x0,0x0,Firewall,2/4/2008 11:37,64.233.171.83,443,HTTPS,Denied Connection,,192.168.5.104,,VPN Clients,External,-,-
192.168.5.104,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,2835,50,0,2157,0x80074e24 ,,0x0,0x0,Firewall,2/4/2008 11:37,64.233.171.83,443,HTTPS,Closed Connection,Internal to External,192.168.5.104,cjb,VPN Clients,External,-,-
192.168.5.104,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,2835,0,0,0,0x0 ,,0x0,0x0,Firewall,2/4/2008 11:37,64.233.171.83,443,HTTPS,Initiated Connection,Internal to External,192.168.5.104,cjb,VPN Clients,External,-,-

========================================================
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20817461
Looks like a scvrew up with the LAT tables. ISA is seeing traffic arriving on the wrong interface.

Open the guii, select configuration - networks - internal - properties - addresses. What are the addresses listed here? Does it include ALL of your internal addresses? Are the addresses used on the VPN also listed?
0
 

Author Comment

by:cjb123
ID: 20826842
My networks don't overlap at all.  I'm still not able to connect to a https site via VPN.  I'm able to hit https sites that are on my LAN, just not external websites.  Here's the way the rule is set up:

Rule Name: VPN Out
Action: Allow
Protocols: FTP, HTTP, HTTPS, IPSec ESP, IPSec NAT-T Client, L2TP Client, PPTP, SSH
From/Listener: VPN Clients
To: External, Internal, Anywhere
Condition: All Users
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20826932
Hmmmm - rule looks OK

dns on a vpn client is resolving the external IP ok?  ie on the vpn client machine, nslookup external_web_site_name gives the external IP OK?
External http sites work fine though don't they.... Its just https that has issues?

0
 

Author Comment

by:cjb123
ID: 20828918
This is correct.  Regular http out to external sites work fine, it's just the https sites that we're having issues with.  I.E. if we go to a banking site, the home page comes up but as soon as you go to login, we get a page cannot be displayed.  As for DNS, we even have static routes listed in the etc hosts file.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20833763
Crikey - i am trying really hard to reproduce this but cannot so far.
When you go to the banking site is that initially an http site that changes to https as you hit the logon box? Or was it https already but then failed when you tried to login?
0
 

Author Comment

by:cjb123
ID: 20842267
When I go to the banking site, it's a regular http site.  Once I hit the log in box, it forwards to a https site.  This is where I have problems.  Going through the firewall from the LAN, there's no problems.  This only occurs while on VPN.
0
 

Author Comment

by:cjb123
ID: 20886245
Okay.. weird thing... if i try to

telnet www.google.com 443

FROM VPN I can't get connected at all anymore - I honestly don't know how I was able to do so before..

As stated before, from VPN, everything appears to work fine, except that HTTPS on port 443 is the only thing that appears not to work
0
 

Author Comment

by:cjb123
ID: 20886344
And just to add a little more confusion, HTTPS works when we try to connect to an internal server on our LAN via VPN
0
 

Author Comment

by:cjb123
ID: 20886497
Here's a CSV of what i've been able to monitor.. apparently its no longer blocking the connection, its initializing the connection..

==============================================

Original Client IP,Client Agent,Authenticated Client,Service,Server Name,Referring Server,Destination Host Name,Transport,MIME Type,Object Source,Source Proxy,Destination Proxy,Bidirectional,Client Host Name,Filter Information,Network Interface,Raw IP Header,Raw Payload,Source Port,Processing Time,Bytes Sent,Bytes Received,Result Code,HTTP Status Code,Cache Information,Error Information,Log Record Type,Log Time,Destination IP,Destination Port,Protocol,Action,Rule,Client IP,Client Username,Source Network,Destination Network,HTTP Method,URL
192.168.5.105,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,3539,0,0,0,0x0 ,,0x0,0x0,Firewall,2/13/2008 12:50,64.233.167.147,443,HTTPS,Initiated Connection,VPN Out,192.168.5.105,,VPN Clients,External,-,-
192.168.5.105,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,3550,0,0,0,0x0 ,,0x0,0x0,Firewall,2/13/2008 12:51,64.233.167.99,443,HTTPS,Initiated Connection,VPN Out,192.168.5.105,,VPN Clients,External,-,-
192.168.5.105,,,,KE-FW-INF2,-,,TCP,-,,,,,,-,,,,3551,0,0,0,0x0 ,,0x0,0x0,Firewall,2/13/2008 12:51,64.233.167.147,443,HTTPS,Initiated Connection,VPN Out,192.168.5.105,,VPN Clients,External,-,-

==============================================
0
 

Author Comment

by:cjb123
ID: 20901656
hey Keith.. calling msft today - will post the problem resolution on here whenever we get this thing fixed

thanks again for your help
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20904602
Good call I think - I have not been able to give the time/effort I normally would (work pressures) so this is likely your most expedient approach - sorry :(
0
 

Accepted Solution

by:
cjb123 earned 0 total points
ID: 20961882
Hey Keith.. all we had to do was configure the proxy..
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20962000
Oh God..... Sometimes the simple things are the least obvious. Really sorry but well done :(
0
 

Author Comment

by:cjb123
ID: 20978217
I agree!  Thanks again keith
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now