[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 496
  • Last Modified:

HTTPS traffice doesn't pass through from one of the internal networks.

My network configuratoin is 3 internals networks, connected to ISA server 2006 (4 network cards in total). I need to be able to activate windows xp machines from all of my internal nettworks. During activation, WindowsXP is connecting to http://wpa.one.microsoft.com and then to https://wpa.one.microsoft.com. From my Internal Network #1 everything works fine. Activation doesn't work from my other 2 internal networks despite the fact that for test purposes I configures exactly the same all my 3 internal networks.
If I try the following command "telnet wpa.one.microsoft.com 443" from my Internal Network #1 - it works. From my other 2 internal networks I'm getting "Connection Failure" error.
My routing table on ISA machine seems fine. I have only one defaoult route through my ecxxternal interface.
I've seen "HTTPS access through ISA 2006" article, but I didn't understand how to adjust HTTP timeout settings and if that setting allpies globally, then it's not my case since I have it working fine from one of my network.

Thank you.
Any help is greatly appreciated.
0
Dinus
Asked:
Dinus
  • 7
  • 5
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
Including the wireless network, I have 6 internal networks so it can certainly be done although I only use 3 nics.
How have you applied your rules?
Have yoiu amended each nic so that it contains the correct lat details?
What do you see in the isa gui log when attempts are made from the otheer internal networks?
#What relationship do they have to trhe external network - all NAT?
What client/ Securenat? web proxy? isa firewall client?
Have you applied the supportability patch for isa2006 yet?
HTTP Timeout settings? Not relevant.

0
 
DinusAuthor Commented:
Thank you Keith for your answer.

My rule says: Allow HTTP & HTTPS From Internal1 & Internal2 & Internal3 to WPA domain name set for All Users. Domain Set contains wpa.one.microsoft.com
My reply rule says Allow HTTP & HTTPS from External to Internal1 & Internal2 & Internal3 for all users.

I didn't alter my LAT entries. Could you please give me a hint in this direction?

On connection attempt My ISA log says: HTTPS Connection initiated From Internal2 to External. In about 20 seconds I'm getting another message in my log saying the there was no reply from wpa.one.microsoft.com and that connection has been terminated.

All my network relations are ROUTE.

All Internal Networks are configured with WEB Proxy for HTTP. HTTPS proxy filter is not enabled.

I didn't know about supportability patch for isa2006. I'll start looking for it.


0
 
Keith AlabasterEnterprise ArchitectCommented:
Sure - open the isa gui, select configuration - networks

Double-click each network in turn (excluding local host and external)
check out the addresses tab (Local Address Table AKA LAT)
Each LAT should only have the IP addresses associated with that particular NIC.

All route? So what is performing your NAT translations?

Supportability pack is here
http://support.microsoft.com/?kbid=939455

Need to see the log entry please
Once you have the pack installed, you will see another level appear at the bottomm of the logging screen - lets get some detail :)
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Keith AlabasterEnterprise ArchitectCommented:
PS - It needs a reboot......
0
 
DinusAuthor Commented:
Keith,

My LAT entries are fine.

I don't have NAT translations since there's a CISCO router after my ISA server which does NAT.

I installed the patch. Thanks for the link. Still cannot run my "telnet wpa.one.microsoft.com 443" command from my Network #2.  Below is the log:

My middle log window shows:
Protocol: HTTPS
Action: Initiated Connection
Rule: UnAuth_Web_Requests
Result Code: 0x0 ERROR_SUCCESS
Source Network: Internal2
Destination Network: External.
-----------------------------------------
Bottom log window:

Initiated Connection ISAGW 2/11/2008 4:59:15 PM
Log type: Firewall service
Status:  
Rule: UnAuth_Web_Requests
Source: Internal2 (192.168.202.2:1240)
Destination: External (131.107.115.254:443)
Protocol: HTTPS
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.202.2
Client agent:
 
Thank you.


0
 
Keith AlabasterEnterprise ArchitectCommented:
Can you supply both an ipconfig /all and a route print please from the ISA?

Does the Cisco have a static route applied so it knows how to get back to ALL of your internal networks ie the ones on the other side of the ISA external nic?

0
 
DinusAuthor Commented:
Thank you very much Keith!
All the static routes in CISCO are configured properly, but there was a missing NAT Rule. I added "Permit 192.168.202.0 0.0.0.255 any ip" to my CISCO and my telnet command started to connect from Internal2 network.
There is something I don't undertsand though. The Internet access was working fine from all the internal networks without that CISCO NAT rule!
I appreciate your help!
0
 
Keith AlabasterEnterprise ArchitectCommented:
Doesn't sound like a NAT rule issue, more a permit on nthe ACL. I noted in your log entry that the source was internal and the destination was an external address so the next step was to test to the internal nic of the Cisco, just to prove it was actually leaving ISA. As I am sure you know, by default with no ACL, all traffic is permitted to pass - once you put an ACL on, its only the specified traffic (source/destiantion that is permitted with the deafulat deny any any appended regardless. As you have added the 192.168.202.0 subnet, have you had to do add the same for network #3's subnet?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks for the points though - always welcome :)
0
 
DinusAuthor Commented:
Yes. I added the same NAT rule for the Internal3 network and I was able to access HTTPS.
I would be interested as well in making sure that the NAT rule I created solved the problem. I have an IIS set up on outside network (192.168.111.0, the external network to ISA and internal to CISCO). I will enable IIS on 443 (I hope I dont need to install a certificate for that), will remove just created NAT rules from CISCO and will try my telnet command again from Internal2 and Internal3 networks. I'll post the results.
Thank you.
0
 
DinusAuthor Commented:
Hi Keith.
I promised to post my test results.
I removed the Internal2 and Internal3 NAT rules from CISCO and i was able to telnet to port 443 on ISA external network (not outside CISCO). At the same time I could access the internet outside CISCO from Internal2 and Internal3. I was even able to access my GMAIL account at gmail.com (which goes HTTPS after loging in). I could not run "telnet gmail.com 443" though from Internal2 and Internal3 networks.
To me it's still a mistery which is possibly related to the fact that HTTP goes through Web PROXY while HTTPS is not.
Anyway, my WindowsXP stations can activate now from Internal2 and Internal3 networks after entering those NAT rules into CISCO.

Best Regards.

Dinu.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks for the update Dinu but I still think you have entered Access Control list (ACL) statements rather than NAT statements. Glad it is doing what you want even if we are not 100% clear on it.

Regards

Keith
0

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now