Solved

Microsoft, ISA, 3.0, Installed on the domain network but being accessed through WAN VPN links from remote workgroup sites

Posted on 2007-12-06
8
334 Views
Last Modified: 2012-06-27
I have set up an ISA server to allow remote sites access to the Internet, but only a selection of website.  This has been working fine using a ISA server on the main network and setting the proxy on remote site client to this server on port 8080.  The remote sites connect back to the network over a VPN WAN link.
We have recently required these sites access to a website which requires a logon, which then goes to a HTTPS page. When it redirects to the HTTPS page the error message says:

The page cannot be displayed
There is a problem with  

The rest of the error message page is not displayed.

The page is
0
Comment
Question by:ghutchins
  • 3
  • 3
8 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
No such thing as ISA 3.0 - Do you mean ISA2000? 2004? 2006?

The port 8080 is the port number that clients use to talk to the ISA server, not the port they use to talk to the website. The traffic leaves ISA on the port specified in the type of traffic (default is 80 for http, 443 for https)

Sounds like the request is being redirected to another https page that is not running port 443. ISA, by default, only allows https traffic to be used on port 443 - if the required https site uses a different port number then the site would be blocked.

Open the isa gui, select monitoring - logging - start query.
What do you see in the log when access is made from a client?
Does the site work OK when a connection attempt is made from a local client (rather than from a client at one of your branch offices).

0
 

Author Comment

by:ghutchins
Comment Utility
Sorry it's ISA 2000 SP2.

I can access the site fine from a local client.
0
 

Author Comment

by:ghutchins
Comment Utility
Please see the log below, I have ****** out the IP address:


date      time      s-computername      cs-referred      r-host      r-ip      r-port      time-taken      cs-bytes      sc-bytes      cs-protocol      s-operation      cs-uri      s-object-source      sc-status
01/12/2007      17:07:04      MPISA02      -      www.cfs-uk.com      ***********      80      344      300      972      http      GET      http://www.cfs-uk.com/      VFInet      200
01/12/2007      17:07:04      MPISA02      -      www.cfs-uk.com      ***********      80      125      341      4260      http      GET      http://www.cfs-uk.com/left.htm      VFInet      200
01/12/2007      17:07:04      MPISA02      -      www.cfs-uk.com      ***********      80      266      340      599      http      GET      http://www.cfs-uk.com/top.htm      VFInet      200
01/12/2007      17:07:04      MPISA02      -      www.cfs-uk.com      ***********      80      63      341      2364      http      GET      http://www.cfs-uk.com/main.htm      VFInet      200
01/12/2007      17:07:04      MPISA02      -      www.cfs-uk.com      ***********      80      94      264      1607      http      GET      http://www.cfs-uk.com/cfs.css      VFInet      200
01/12/2007      17:07:05      MPISA02      -      www.cfs-uk.com      ***********      80      219      271      417      http      GET      http://www.cfs-uk.com/menu%20dot.gif      VFInet      200
01/12/2007      17:07:05      MPISA02      -      www.cfs-uk.com      ***********      80      360      265      8753      http      GET      http://www.cfs-uk.com/left.gif      VFInet      200
01/12/2007      17:07:05      MPISA02      -      www.cfs-uk.com      ***********      80      156      266      418      http      GET      http://www.cfs-uk.com/blank.gif      VFInet      200
01/12/2007      17:07:05      MPISA02      -      www.cfs-uk.com      ***********      80      282      267      540      http      GET      http://www.cfs-uk.com/top-bkg.gif      VFInet      200
01/12/2007      17:07:05      MPISA02      -      www.cfs-uk.com      ***********      80      187      263      15196      http      GET      http://www.cfs-uk.com/top.gif      VFInet      200
01/12/2007      17:07:05      MPISA02      -      www.cfs-uk.com      ***********      80      94      265      2022      http      GET      http://www.cfs-uk.com/cfs2.css      VFInet      200
01/12/2007      17:07:05      MPISA02      -      www.cfs-uk.com      ***********      80      63      267      187      http      GET      http://www.cfs-uk.com/slogan.gif      VFInet      302
01/12/2007      17:07:07      MPISA02      -      www.cfs-uk.com      ***********      80      734      271      19331      http      GET      http://www.cfs-uk.com/snapfront2.jpg      VFInet      200
01/12/2007      17:07:07      MPISA02      -      www.cfs-uk.com      ***********      80      109      294      2245      http      GET      http://www.cfs-uk.com/slogan.gif/retry=a0db9a9f4c7af5a08071      Inet      200
01/12/2007      17:07:08      MPISA02      -      www.cfs-uk.com      ***********      80      1657      271      27725      http      GET      http://www.cfs-uk.com/snapfront1.jpg      Inet      200
01/12/2007      17:07:13      MPISA02      -      www.cfs-uk.com      -      443      -      -      -      SSL-tunnel      -      www.cfs-uk.com:443      Inet      12202
01/12/2007      17:07:25      MPISA02      -      www.cfs-uk.com      ***********      80      78      267      2245      http      GET      http://www.cfs-uk.com/slogan.gif      Inet      200
01/12/2007      17:07:37      MPISA02      -      www.cfs-uk.com      -      443      -      -      -      SSL-tunnel      -      www.cfs-uk.com:443      Inet      12202
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
what rules do you have from vpn clients to external?
0
 

Author Comment

by:ghutchins
Comment Utility
The problem was the website was redirecting to another domain. I allowed the companies IP range and the problem was resolved
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Yes, if the rules do not include the required sources/destinationss then traffic flow is not allowed.
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with points refunded (500)

Computer101
EE Admin
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now