Solved

Access denied when application tries to communicate over port 443

Posted on 2008-10-17
13
2,722 Views
Last Modified: 2008-11-17
Our payroll application tries to communicate over 443 with the payroll server (outside the network) and we're getting access denied errors on the ISA logs. The firewall rule looks fine and I have recreated it with no success in resolving this problem. It looks like ISA is skipping over the rule I created.

Rule is: Allow All protocols from Internal to 1.1.1.1 by All Users.

Have tried to limit protocols to HTTP and HTTPS but that doesn't seem to make a difference either. What else can I try?

Here is the entry that fails (with some substitutions for IP and user names):

Original Client IP            Client Agent      Authenticated Client       Service  Referring Server Destination Host Name   Transport            HTTP Method    MIME Type        Object Source   Source Proxy    Destination Proxy          Bidirectional      Client Host Name    Filter Information            Network Interface           Raw IP Header   Raw Payload     GMT Log Time   Source Port            Processing Time            Bytes Sent        Bytes Received  Cache Information          Error Information            Authentication Server     Log Time           Client IP            Destination IP    Action   Destination Port URL      Protocol            Rule      Result Code      HTTP Status Code         Client Username            Source Network Destination Network            Server Name      Log Record Type
10.5.100.8         PROGRAM.EXE:3:5.0                              -                       TCP      -           -                                                                       -                                               10/17/2008 7:15:23 PM  3270     0          0          0          0x0       0x0       -            10/17/2008 12:15:23 PM 10.5.100.8         1.1.1.1            Denied Connection         443       -           HTTPS            [Enterprise] Default rule  0x800733f5 WSA_RWS_ERROR_ACCESS_DENIED                   CFS\Username      Internal            External            ISA01   Firewall
0
Comment
Question by:victornegri
  • 8
  • 5
13 Comments
 
LVL 2

Assisted Solution

by:wcoka2
wcoka2 earned 500 total points
ID: 22745329
Lets test something. What happend if you change the TO box that from IP 1.1.1.1 to "External", are you able to access?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745352
Will try. Unfortunately, I don't have access to the accounting program so I have to wait for an accounting user to try it.
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745388
OK. It worked. But what does that tell us? How can I fix it so that all users don't have access to everything now?
0
 
LVL 2

Expert Comment

by:wcoka2
ID: 22745411
I had an error like that and it was that more IPs needed permission, thats why I want to try first by allowing all external. At the logging what filters do you have? lest see which rule is denying access and to what IPs. Do you have any Action Filter?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745436
Yeah, action filter not equal to Connection Status. Will remove and try again.

Also have:
Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8
0
 
LVL 2

Expert Comment

by:wcoka2
ID: 22745462
Run the query again. and the since the rule is allowing all external you'll see some other IPs that need access too. Try it




0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 10

Author Comment

by:victornegri
ID: 22745610
Nope. Still only shows that one IP.

Just a little background... we just installed ISA 2006 3 days ago. It seemed to be working properly the first day. Yesterday, one of the rules went screwy and I had to open that rule up to All Users. Today, this rule went nuts (granted we didn't know it didn't work until today because the accountants hadn't used it since the upgrade).
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745611
Thinking I'll install SP1 tonight and see if that has any effect.
0
 
LVL 2

Expert Comment

by:wcoka2
ID: 22745643
did you try the logging with the rule that allows all external or with just the access to the 1.1.1.1?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745878
The rule is still set to allow all external. It still didn't' show anything new (other than the fact that the packets went through instead of being denied)
0
 
LVL 2

Expert Comment

by:wcoka2
ID: 22745989
what filters ae you using at the logging? Can you attach the result of the query from the logging to check it?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22746405
The only filters I'm using are:

Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8

These are the results of the query:

Original Client IP            Client Agent      Authenticated Client       Service  Referring Server Object Source   Source Proxy            Destination Proxy          Bidirectional      Client Host Name           Filter Information            Network Interface           Raw IP Header          Raw Payload     GMT Log Time   Source Port       Processing Time            Bytes Sent        Bytes Received            Cache Information          Authentication Server     Log Time           Client IP            Destination IP    Action   Destination Port      URL      Protocol            Rule      Result Code      HTTP Status Code         Client Username            Source Network            Destination Network       Server Name      Log Record Type            MIME Type        Destination Host Name   Transport            HTTP Method    Error Information
10.5.100.8         PROGRAM.EXE:3:5.0                              -                                                                       -                                               10/17/2008 9:44:25 PM  3590     0          0          0          0x0       -           10/17/2008 2:44:25 PM  10.5.100.8            1.1.1.1            Initiated Connection        443       -           HTTPS Test     0x0 ERROR_SUCCESS             CFS\Username      Internal  External            ISA01   Firewall -                       TCP      -           0x0
10.5.100.8                                             -                                                                       -                                               10/17/2008 9:44:27 PM  3589     0          0          0          0x0       -           10/17/2008 2:44:27 PM  10.5.100.8            10.5.10.1           Initiated Connection        1745     -           Microsoft Firewall Client (UDP)                0x0 ERROR_SUCCESS                               Internal  Local Host         ISA01   Firewall -                       UDP     -           0x0
10.5.100.8         PROGRAM.EXE:3:5.0                              -                                                                       -                                               10/17/2008 9:44:39 PM  3590     14093   18129   3915     0x0       -           10/17/2008 2:44:39 PM  10.5.100.8            1.1.1.1           Closed Connection         443       -           HTTPS  Test     0x80074e21 FWX_E_ABORTIVE_SHUTDOWN                       CFS\Username      Internal  External            ISA01   Firewall -                       TCP            -           0x0
10.5.100.8                                             -                                                                       -                                               10/17/2008 9:45:27 PM  3589     60000   3156     1374     0x0       -           10/17/2008 2:45:27 PM  10.5.100.8            10.5.10.1           Closed Connection         1745     -           Microsoft Firewall Client (UDP)                0x80074e20 FWX_E_GRACEFUL_SHUTDOWN                                 Internal  Local Host         ISA01   Firewall -                       UDP     -            0x0
0
 
LVL 10

Accepted Solution

by:
victornegri earned 0 total points
ID: 22835806
I installed the latest ISA 2006 Service Pack and everything started working after that. Thanks for your help.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now