HTTPS traffice doesn't pass through from one of the internal networks.

My network configuratoin is 3 internals networks, connected to ISA server 2006 (4 network cards in total). I need to be able to activate windows xp machines from all of my internal nettworks. During activation, WindowsXP is connecting to and then to From my Internal Network #1 everything works fine. Activation doesn't work from my other 2 internal networks despite the fact that for test purposes I configures exactly the same all my 3 internal networks.
If I try the following command "telnet 443" from my Internal Network #1 - it works. From my other 2 internal networks I'm getting "Connection Failure" error.
My routing table on ISA machine seems fine. I have only one defaoult route through my ecxxternal interface.
I've seen "HTTPS access through ISA 2006" article, but I didn't understand how to adjust HTTP timeout settings and if that setting allpies globally, then it's not my case since I have it working fine from one of my network.

Thank you.
Any help is greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Including the wireless network, I have 6 internal networks so it can certainly be done although I only use 3 nics.
How have you applied your rules?
Have yoiu amended each nic so that it contains the correct lat details?
What do you see in the isa gui log when attempts are made from the otheer internal networks?
#What relationship do they have to trhe external network - all NAT?
What client/ Securenat? web proxy? isa firewall client?
Have you applied the supportability patch for isa2006 yet?
HTTP Timeout settings? Not relevant.

DinusAuthor Commented:
Thank you Keith for your answer.

My rule says: Allow HTTP & HTTPS From Internal1 & Internal2 & Internal3 to WPA domain name set for All Users. Domain Set contains
My reply rule says Allow HTTP & HTTPS from External to Internal1 & Internal2 & Internal3 for all users.

I didn't alter my LAT entries. Could you please give me a hint in this direction?

On connection attempt My ISA log says: HTTPS Connection initiated From Internal2 to External. In about 20 seconds I'm getting another message in my log saying the there was no reply from and that connection has been terminated.

All my network relations are ROUTE.

All Internal Networks are configured with WEB Proxy for HTTP. HTTPS proxy filter is not enabled.

I didn't know about supportability patch for isa2006. I'll start looking for it.

Keith AlabasterEnterprise ArchitectCommented:
Sure - open the isa gui, select configuration - networks

Double-click each network in turn (excluding local host and external)
check out the addresses tab (Local Address Table AKA LAT)
Each LAT should only have the IP addresses associated with that particular NIC.

All route? So what is performing your NAT translations?

Supportability pack is here

Need to see the log entry please
Once you have the pack installed, you will see another level appear at the bottomm of the logging screen - lets get some detail :)
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Keith AlabasterEnterprise ArchitectCommented:
PS - It needs a reboot......
DinusAuthor Commented:

My LAT entries are fine.

I don't have NAT translations since there's a CISCO router after my ISA server which does NAT.

I installed the patch. Thanks for the link. Still cannot run my "telnet 443" command from my Network #2.  Below is the log:

My middle log window shows:
Protocol: HTTPS
Action: Initiated Connection
Rule: UnAuth_Web_Requests
Result Code: 0x0 ERROR_SUCCESS
Source Network: Internal2
Destination Network: External.
Bottom log window:

Initiated Connection ISAGW 2/11/2008 4:59:15 PM
Log type: Firewall service
Rule: UnAuth_Web_Requests
Source: Internal2 (
Destination: External (
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP:
Client agent:
Thank you.

Keith AlabasterEnterprise ArchitectCommented:
Can you supply both an ipconfig /all and a route print please from the ISA?

Does the Cisco have a static route applied so it knows how to get back to ALL of your internal networks ie the ones on the other side of the ISA external nic?


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DinusAuthor Commented:
Thank you very much Keith!
All the static routes in CISCO are configured properly, but there was a missing NAT Rule. I added "Permit any ip" to my CISCO and my telnet command started to connect from Internal2 network.
There is something I don't undertsand though. The Internet access was working fine from all the internal networks without that CISCO NAT rule!
I appreciate your help!
Keith AlabasterEnterprise ArchitectCommented:
Doesn't sound like a NAT rule issue, more a permit on nthe ACL. I noted in your log entry that the source was internal and the destination was an external address so the next step was to test to the internal nic of the Cisco, just to prove it was actually leaving ISA. As I am sure you know, by default with no ACL, all traffic is permitted to pass - once you put an ACL on, its only the specified traffic (source/destiantion that is permitted with the deafulat deny any any appended regardless. As you have added the subnet, have you had to do add the same for network #3's subnet?
Keith AlabasterEnterprise ArchitectCommented:
Thanks for the points though - always welcome :)
DinusAuthor Commented:
Yes. I added the same NAT rule for the Internal3 network and I was able to access HTTPS.
I would be interested as well in making sure that the NAT rule I created solved the problem. I have an IIS set up on outside network (, the external network to ISA and internal to CISCO). I will enable IIS on 443 (I hope I dont need to install a certificate for that), will remove just created NAT rules from CISCO and will try my telnet command again from Internal2 and Internal3 networks. I'll post the results.
Thank you.
DinusAuthor Commented:
Hi Keith.
I promised to post my test results.
I removed the Internal2 and Internal3 NAT rules from CISCO and i was able to telnet to port 443 on ISA external network (not outside CISCO). At the same time I could access the internet outside CISCO from Internal2 and Internal3. I was even able to access my GMAIL account at (which goes HTTPS after loging in). I could not run "telnet 443" though from Internal2 and Internal3 networks.
To me it's still a mistery which is possibly related to the fact that HTTP goes through Web PROXY while HTTPS is not.
Anyway, my WindowsXP stations can activate now from Internal2 and Internal3 networks after entering those NAT rules into CISCO.

Best Regards.

Keith AlabasterEnterprise ArchitectCommented:
Thanks for the update Dinu but I still think you have entered Access Control list (ACL) statements rather than NAT statements. Glad it is doing what you want even if we are not 100% clear on it.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.