• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 837
  • Last Modified:

SSL Tunneling in ISA 2004

I'm currently trying to configure a ISA 2004 server to let a program we use connect to a global server.
The Program uses port 443 to connect to the server (HTTPS).
If I try to open every single port by selecting "All Outbound Trafic" from all networks to all networks the action in the log found reports: "Failed Connection Attempt".
If I disable that rule, i get a "Denied Connection" which comes from the Default Rule.

What did I do wrong?
0
Shadowmage1991
Asked:
Shadowmage1991
  • 11
  • 10
2 Solutions
 
Keith AlabasterEnterprise ArchitectCommented:
Probably nothing - make sure you have ISA2004 sp3 applied.

Open the isa gui - select monitoring - logging - start query
cut and paste the results for the log please, or better still, make sure all columns are displayed in the log window then use the copy to cliboard option and paste into Excel. Upload the excel sheet and i should then be able to give you chapter and verse.

Get rid of that rule all protocols to and from all networks - that is a disastrous approach.
The fact it is denied by default rule suggests that the call being made is then being redirected. ISA only supports https on 443 as standard. - we have a tool that expands the port range if we need it. - Need the log though
0
 
Shadowmage1991Author Commented:
I've attached the error log to my message.
I've gotten rid of the all to all rule as you said.

And how can I check which SP I have installed on the ISA server?
Error-Log.xls
0
 
Keith AlabasterEnterprise ArchitectCommented:
I cannot view that site either from any of my ISA test labs and I know they are correctly setup - the detailed info I get from the report is:

****
This error (HTTP 403 Forbidden) means that Internet Explorer was able to connect to the website, but it does not have permission to view the webpage.
****
As stated, I have got to the web site correctly therefore ISA has done what it is supposed to and established the ssl connection to the site. At that point, the site takes over. ISA cannot control that stage....

This can mean a couple of things including
1 - You need a certificate on the client machine/work station for authentication
2 - There are source ip address restrictions to allowed machines/addresses only
3 - The site has a problem on their default page
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Shadowmage1991Author Commented:
The Reason Internet explorer can't access it is because its a Global Server that a program that we run here in the school to check students their tests. It requires a SSL Connection.

1 - And How exactly do i do this?
2 - you mean there are restrictions to the workstation so that they can't get access on the server?
3 - I'm pretty sure there is not supposed to be a default page.

Thank you
0
 
Keith AlabasterEnterprise ArchitectCommented:
Sorry, haven't explained myself very well then.

SSl simply means a Secure Socket layer - this is a fancy name for a connection that uses https traffic over port 443 by default between the client PC and its browser and the remote site. You instigate an SSL connection when you put https:// inthe browser address line rather than just http://

The 's' in https means secured http. The fact that the message I got back was 'connected to web site OK' means that the rules you have for web based https (which are the same as mine) are correct. Your ISA is allowing https through.

You mention 'the program'. by default, isa lets port 443 through using the web proxy service. What is the program you are using? I am wondering if we need to let native tcp port 443 through the firewall also as well as web-based https over port 443
0
 
Shadowmage1991Author Commented:
The program the school uses is called "CorrectionManager.exe" its a Cito program that allows teachers to check the tests that the students make. The weirdest thing is this:

When I disable that bad ass rule which allows all networks to all networks my https web pages won't work.
At the moment i'm not at work so I can't check the exact access rules I put into the ISA Server but i do memorize a few.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Just for reference then, the normal rules (access rules) you would expect to see would be split up.
you don't mention though if your ISA is a firewall/proxy or just a proxy box?
I am assuming it is a firewall & proxy. If so, are you using the ISA firewall client?

I would expect to see the following types of rule:

allow dns from internal_dns_server_ip_addresses to external - all users
allow smtp from Internal_mail_server_ip_addresses to external - all users
allow all protocols FROM internal & local host TO internal & local host - all users

allow http/https from internal & local host to external - all users, authenticated users, ad group or whatever you want to use
etc etc etc
then any publishing rules you may have
0
 
Shadowmage1991Author Commented:
Just to clear it up, the server is not just a proxy box, it is actually a Firewall and Proxy.
I do -not- use the ISA Firewall client. I connect to the server with .rdp files (I thought its called Terminal Server? ;) )

Is there a way I can show you all the possible rules so you can have a look at them?
But yes i do have the Access Rules first and then the publishing rules.

Also, i've raised the points value since I really apreciate the help and the problem was harder then i expected it to be. (Raised to 250)

Thank you very much.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Welcome (I don't look at the points value - a question is a question but thank you all the same).

Bear with me here.
Open  a web browser on the client - type in https://ctgs26-secure.citogroep.nl
What do you get on the screen? The same as me? A message saying "The website declined to show this webpage"?  It needs you to login?

Try creating a new protocol called pure443 using tcp port 443 to 443
Create a new access rule (at position 1) using the pure443 protocol from internal to external - all users
Apply the policy and retry please.



0
 
Shadowmage1991Author Commented:
I'm not at work at the moment so I can't test it.
How does the position order apply? (Which rules are executed first, which last?)
But yes. If i go to the webpage i get "Directory Listing Denied
This Virtual Directory does not allow contents to be listed."

I will try first thing at monday.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Top to bottom in that order but also checks the ISA System policy against each rule also.
so..... 443 on https is going out OK but no credentials are being passed (as you'd expect becuase the site is not actually a web site by the looks of it).

The site wants user credentials but ISA will not pass them automatically as you are not using the web proxy when you run the client application - you will be using a SecureNAT connection I would expect. Has this ever worked? I think you may want to try installing the ISA firewall client on the calling client machine as well.

have a good weekend

keith

.

0
 
Shadowmage1991Author Commented:
Top to bottom as in from 1 to 16?
And no, the program has never worked before. However if we plug in a laptop in a switch behind the ISA Server (basicly in the front of the network directly to internet) it does work. But that's not really a valid option.

Just to make sure.. What does the ISA Firewall Client exactly do?

Have a good weekend :)
0
 
Keith AlabasterEnterprise ArchitectCommented:
Yes   1 - 16 - top of the screen downwards...

Going to keep it brief as you can just Google for this. When you log on to your doamin, the username and password entered create a set of credentials (tokens effectively) that can be used to authenticate you agaisnt prmission restrictions, file access control, etc etc. Web proxy connections used in ISA can also validate the request against a list from AD etc, whatever you want. However, some programs cannot handle this feature.

For example, an FTP client prgram tries to get out to the internet to an external ftp site. The access attempt is made - ISA sees the request and looks for the credentials - can't see them aso says - hey, where are your credentials, I need them to check you are allowed to do this, the ftp client has no way of passing the credentials so the call fails.Similarly, using ftp from inside the IE browser, ISA agains asks for the credentials but IE DOES have a machanism to pass the credentials to ISA and the traffic will pass subject to the user being in the allowed list.

The firewall client provides the supporting environment to allow the credentails to be passed to ISA when it asks for them. The ISA fw client van do other things as well in respect to gateways and winsock prducts but thats sort of out of scope for the moment./
0
 
Shadowmage1991Author Commented:
I downloaded ISA Server Firewall Client from this link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=05C2C932-B15A-4990-B525-66380743DA89&displaylang=en

I configure it manually by typing in the IP of the ISA Server but when i then try to boot the internet explorer and go to a simple page like google it says page cannot be displayed. If i look in the System tray i do see the firewall client icon with the enable icon in it. However any page i try can't be displayed. Is this settings that has to be configured in the ISA Server? Or does this have to be configured at the client side?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Have a short read first. (saves me typing a lot) :)

http://www.microsoft.com/technet/isa/2006/clients.mspx
0
 
Shadowmage1991Author Commented:
Thanks for the link :) It cleared a lot up about the Server / Client story :)

Ok, so correct me if i'm wrong.
First, you install the Firewall Client on the calling client.
Then you change a configuration in the ISA Server to define the Firewall Client to allow the program we use to pass on credentials right through the ISA Server on to the Global "Cito" Server?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Absolutely but in conjunction with your ISA server - ie ISA itself has to have the rules in place to allow the requied ports to pass in the first place :)
0
 
Shadowmage1991Author Commented:
Ok, i'll try this tomorrow as i'm not at work at the moment ;)
Thanks for all this help and i'll update this post tomorrow when i'm at work :)
0
 
Keith AlabasterEnterprise ArchitectCommented:
lol - I am on UK time so I've just got home about 30 minutes ago
0
 
Shadowmage1991Author Commented:
Ok, so if i want to add a program called "CorrectionManager.exe" i'll have to add the code below to the Define Firewall Client Application Settings?
Disable=0
NameResolution=R
LocalBindTcpPorts=443
RemoteBindTcpPorts=443
ServerBindTcpPorts=443
Persistent=1
ForceCredentials=1
NameResolutionForLocalHost=L

Open in new window

0
 
Shadowmage1991Author Commented:
Could anyone check this smack of code for me?
Thanks in advance.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 11
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now