Solved

Access denied when application tries to communicate over port 443

Posted on 2008-10-17
13
2,733 Views
Last Modified: 2008-11-17
Our payroll application tries to communicate over 443 with the payroll server (outside the network) and we're getting access denied errors on the ISA logs. The firewall rule looks fine and I have recreated it with no success in resolving this problem. It looks like ISA is skipping over the rule I created.

Rule is: Allow All protocols from Internal to 1.1.1.1 by All Users.

Have tried to limit protocols to HTTP and HTTPS but that doesn't seem to make a difference either. What else can I try?

Here is the entry that fails (with some substitutions for IP and user names):

Original Client IP            Client Agent      Authenticated Client       Service  Referring Server Destination Host Name   Transport            HTTP Method    MIME Type        Object Source   Source Proxy    Destination Proxy          Bidirectional      Client Host Name    Filter Information            Network Interface           Raw IP Header   Raw Payload     GMT Log Time   Source Port            Processing Time            Bytes Sent        Bytes Received  Cache Information          Error Information            Authentication Server     Log Time           Client IP            Destination IP    Action   Destination Port URL      Protocol            Rule      Result Code      HTTP Status Code         Client Username            Source Network Destination Network            Server Name      Log Record Type
10.5.100.8         PROGRAM.EXE:3:5.0                              -                       TCP      -           -                                                                       -                                               10/17/2008 7:15:23 PM  3270     0          0          0          0x0       0x0       -            10/17/2008 12:15:23 PM 10.5.100.8         1.1.1.1            Denied Connection         443       -           HTTPS            [Enterprise] Default rule  0x800733f5 WSA_RWS_ERROR_ACCESS_DENIED                   CFS\Username      Internal            External            ISA01   Firewall
0
Comment
Question by:victornegri
  • 8
  • 5
13 Comments
 
LVL 2

Assisted Solution

by:wcoka2
wcoka2 earned 500 total points
ID: 22745329
Lets test something. What happend if you change the TO box that from IP 1.1.1.1 to "External", are you able to access?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745352
Will try. Unfortunately, I don't have access to the accounting program so I have to wait for an accounting user to try it.
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745388
OK. It worked. But what does that tell us? How can I fix it so that all users don't have access to everything now?
0
ScreenConnect 6.0 Free Trial

At ScreenConnect, partner feedback doesn't fall on deaf ears. We collected partner suggestions off of their virtual wish list and transformed them into one game-changing release: ScreenConnect 6.0. Explore all of the extras and enhancements for yourself!

 
LVL 2

Expert Comment

by:wcoka2
ID: 22745411
I had an error like that and it was that more IPs needed permission, thats why I want to try first by allowing all external. At the logging what filters do you have? lest see which rule is denying access and to what IPs. Do you have any Action Filter?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745436
Yeah, action filter not equal to Connection Status. Will remove and try again.

Also have:
Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8
0
 
LVL 2

Expert Comment

by:wcoka2
ID: 22745462
Run the query again. and the since the rule is allowing all external you'll see some other IPs that need access too. Try it




0
 
LVL 10

Author Comment

by:victornegri
ID: 22745610
Nope. Still only shows that one IP.

Just a little background... we just installed ISA 2006 3 days ago. It seemed to be working properly the first day. Yesterday, one of the rules went screwy and I had to open that rule up to All Users. Today, this rule went nuts (granted we didn't know it didn't work until today because the accountants hadn't used it since the upgrade).
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745611
Thinking I'll install SP1 tonight and see if that has any effect.
0
 
LVL 2

Expert Comment

by:wcoka2
ID: 22745643
did you try the logging with the rule that allows all external or with just the access to the 1.1.1.1?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745878
The rule is still set to allow all external. It still didn't' show anything new (other than the fact that the packets went through instead of being denied)
0
 
LVL 2

Expert Comment

by:wcoka2
ID: 22745989
what filters ae you using at the logging? Can you attach the result of the query from the logging to check it?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22746405
The only filters I'm using are:

Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8

These are the results of the query:

Original Client IP            Client Agent      Authenticated Client       Service  Referring Server Object Source   Source Proxy            Destination Proxy          Bidirectional      Client Host Name           Filter Information            Network Interface           Raw IP Header          Raw Payload     GMT Log Time   Source Port       Processing Time            Bytes Sent        Bytes Received            Cache Information          Authentication Server     Log Time           Client IP            Destination IP    Action   Destination Port      URL      Protocol            Rule      Result Code      HTTP Status Code         Client Username            Source Network            Destination Network       Server Name      Log Record Type            MIME Type        Destination Host Name   Transport            HTTP Method    Error Information
10.5.100.8         PROGRAM.EXE:3:5.0                              -                                                                       -                                               10/17/2008 9:44:25 PM  3590     0          0          0          0x0       -           10/17/2008 2:44:25 PM  10.5.100.8            1.1.1.1            Initiated Connection        443       -           HTTPS Test     0x0 ERROR_SUCCESS             CFS\Username      Internal  External            ISA01   Firewall -                       TCP      -           0x0
10.5.100.8                                             -                                                                       -                                               10/17/2008 9:44:27 PM  3589     0          0          0          0x0       -           10/17/2008 2:44:27 PM  10.5.100.8            10.5.10.1           Initiated Connection        1745     -           Microsoft Firewall Client (UDP)                0x0 ERROR_SUCCESS                               Internal  Local Host         ISA01   Firewall -                       UDP     -           0x0
10.5.100.8         PROGRAM.EXE:3:5.0                              -                                                                       -                                               10/17/2008 9:44:39 PM  3590     14093   18129   3915     0x0       -           10/17/2008 2:44:39 PM  10.5.100.8            1.1.1.1           Closed Connection         443       -           HTTPS  Test     0x80074e21 FWX_E_ABORTIVE_SHUTDOWN                       CFS\Username      Internal  External            ISA01   Firewall -                       TCP            -           0x0
10.5.100.8                                             -                                                                       -                                               10/17/2008 9:45:27 PM  3589     60000   3156     1374     0x0       -           10/17/2008 2:45:27 PM  10.5.100.8            10.5.10.1           Closed Connection         1745     -           Microsoft Firewall Client (UDP)                0x80074e20 FWX_E_GRACEFUL_SHUTDOWN                                 Internal  Local Host         ISA01   Firewall -                       UDP     -            0x0
0
 
LVL 10

Accepted Solution

by:
victornegri earned 0 total points
ID: 22835806
I installed the latest ISA 2006 Service Pack and everything started working after that. Thanks for your help.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question