Avatar of Tim_Lazer
Tim_LazerFlag for United Kingdom of Great Britain and Northern Ireland asked on

I am trying to configure the ISA 2006 publish website and web listener to allow HTTPS / SSL login from the external DMZ web server tot he internal web server.

ISA 2006 had limitations on the web listener per protocol and physical network port.
I already have HTTPS web listener for email OWA access setup but need an additional https / ssl link from the dmz web server (hosts the main website) so a visitor to the site can login to a web applet and access the internal secure web server.

I have tried setting up the ports 20443 and directing the traffic from the dmz web site page to the internal server but the ISA blocks the traffic.
As the above web listener for the exchange server does not function correctly and is not absolutely necessary I could remove this and setup the Publish Web Site task and link to a fresh web listener for standard HTTPS port will this work. The documented procedure on Microsoft does not work, nor the ones I have found on other sites.
Has someone set this up before and can help overcome whatever is stopping this ISA working on this aspect?
Microsoft Forefront ISA ServerSSL / HTTPS

Avatar of undefined
Last Comment

8/22/2022 - Mon
Keith Alabaster

Nothing to do with ISA2006 - that restriction is simple network basics and applies to any firewall/gateway style device.

It is not a restriction on the physical port, that is irrelevant. The restriction is on one ip address & port combination.If it is from the dmz to the internal, just put additional ip addresses on the ISA dmz interface - each can then listen to port 443.

When you publish a rule, you select the interface that will listen - on that tab you will see an addresses box. In here you can select for the interface to listen for port 443 on ALL ip addresses (default) or select individual aip addresses.

So, stick two addresses on the DMZ nic port.
publish rule 1 on 443 using 1st ip, then 2nd publishing rule on 443 using 2nd ip.

Job done

Thanks for this option I was aware of this variation and had tried it before without success but I have until this evening not been able to make the web listener and publishing rules function. It would appear some ISP network issues with their default gateways and dns issues on their side that were fixed last week have also resolved some of the problems I have had in accessing published internal sites.

The next issue is I have two sites on the internal server both requiring SSL and again having access using the same 443 port is not possible unless I add a second IP address to the nic and link each sites via the different IP addresses. Thanks for reminding me to use this option.
Keith Alabaster

2nd issue - 2nd question Tim

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

OK back to the first question.

The use of two IP addresses works fine for setting up the web listeners however the external firewall can only port forward HTTPS to one IP address so I am still no further forward!!!!
Keith Alabaster

I'll leave you to it then

I thought this site was about helping people!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Keith Alabaster

What the site is about is helping people to help themselves improve and learn.  That is why I freely give my own time to respond to questions.

Your question title and your initial post asks about how to do this from the web server in the DMZ to internal servers
I have answered your question and, as you have stated, this works as you would have expected.

Now you are talking about internet access to the internal sites through an external firewall and are bringing other equipment into the mix. If you don't ask the question that you actually wanted answering, whose fault is that?

However, the reasoning is exactly the same as my first response to you. You can only have one ip address/port combination. If you have an external firewall in the mix, you will need two ip addresses on that device - each listening on the port.

The one exception (if the two web services are on the same server) is if they share the same domain name and you can use host headers to send all https requests to the web server and then the IIS service will control the allocation.


Sorry, I did not want to seem ungrateful and thank you for your further advice. Unfortunately there is only one IP address for the external firewall available and the two web services are on completely separate servers. Some in the domain and others outside of it.
As you can see I have been around this loop time and time again and was hoping someone would have a unique solution around all these restrictions.
Back to the drawing board or redesign the topology is the only solution left.

Thanks Tim

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question