Access denied when application tries to communicate over port 443

Our payroll application tries to communicate over 443 with the payroll server (outside the network) and we're getting access denied errors on the ISA logs. The firewall rule looks fine and I have recreated it with no success in resolving this problem. It looks like ISA is skipping over the rule I created.

Rule is: Allow All protocols from Internal to 1.1.1.1 by All Users.

Have tried to limit protocols to HTTP and HTTPS but that doesn't seem to make a difference either. What else can I try?

Here is the entry that fails (with some substitutions for IP and user names):

Original Client IP            Client Agent      Authenticated Client       Service  Referring Server Destination Host Name   Transport            HTTP Method    MIME Type        Object Source   Source Proxy    Destination Proxy          Bidirectional      Client Host Name    Filter Information            Network Interface           Raw IP Header   Raw Payload     GMT Log Time   Source Port            Processing Time            Bytes Sent        Bytes Received  Cache Information          Error Information            Authentication Server     Log Time           Client IP            Destination IP    Action   Destination Port URL      Protocol            Rule      Result Code      HTTP Status Code         Client Username            Source Network Destination Network            Server Name      Log Record Type
10.5.100.8         PROGRAM.EXE:3:5.0                              -                       TCP      -           -                                                                       -                                               10/17/2008 7:15:23 PM  3270     0          0          0          0x0       0x0       -            10/17/2008 12:15:23 PM 10.5.100.8         1.1.1.1            Denied Connection         443       -           HTTPS            [Enterprise] Default rule  0x800733f5 WSA_RWS_ERROR_ACCESS_DENIED                   CFS\Username      Internal            External            ISA01   Firewall
LVL 10
victornegriAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wcoka2Commented:
Lets test something. What happend if you change the TO box that from IP 1.1.1.1 to "External", are you able to access?
0
victornegriAuthor Commented:
Will try. Unfortunately, I don't have access to the accounting program so I have to wait for an accounting user to try it.
0
victornegriAuthor Commented:
OK. It worked. But what does that tell us? How can I fix it so that all users don't have access to everything now?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

wcoka2Commented:
I had an error like that and it was that more IPs needed permission, thats why I want to try first by allowing all external. At the logging what filters do you have? lest see which rule is denying access and to what IPs. Do you have any Action Filter?
0
victornegriAuthor Commented:
Yeah, action filter not equal to Connection Status. Will remove and try again.

Also have:
Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8
0
wcoka2Commented:
Run the query again. and the since the rule is allowing all external you'll see some other IPs that need access too. Try it




0
victornegriAuthor Commented:
Nope. Still only shows that one IP.

Just a little background... we just installed ISA 2006 3 days ago. It seemed to be working properly the first day. Yesterday, one of the rules went screwy and I had to open that rule up to All Users. Today, this rule went nuts (granted we didn't know it didn't work until today because the accountants hadn't used it since the upgrade).
0
victornegriAuthor Commented:
Thinking I'll install SP1 tonight and see if that has any effect.
0
wcoka2Commented:
did you try the logging with the rule that allows all external or with just the access to the 1.1.1.1?
0
victornegriAuthor Commented:
The rule is still set to allow all external. It still didn't' show anything new (other than the fact that the packets went through instead of being denied)
0
wcoka2Commented:
what filters ae you using at the logging? Can you attach the result of the query from the logging to check it?
0
victornegriAuthor Commented:
The only filters I'm using are:

Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8

These are the results of the query:

Original Client IP            Client Agent      Authenticated Client       Service  Referring Server Object Source   Source Proxy            Destination Proxy          Bidirectional      Client Host Name           Filter Information            Network Interface           Raw IP Header          Raw Payload     GMT Log Time   Source Port       Processing Time            Bytes Sent        Bytes Received            Cache Information          Authentication Server     Log Time           Client IP            Destination IP    Action   Destination Port      URL      Protocol            Rule      Result Code      HTTP Status Code         Client Username            Source Network            Destination Network       Server Name      Log Record Type            MIME Type        Destination Host Name   Transport            HTTP Method    Error Information
10.5.100.8         PROGRAM.EXE:3:5.0                              -                                                                       -                                               10/17/2008 9:44:25 PM  3590     0          0          0          0x0       -           10/17/2008 2:44:25 PM  10.5.100.8            1.1.1.1            Initiated Connection        443       -           HTTPS Test     0x0 ERROR_SUCCESS             CFS\Username      Internal  External            ISA01   Firewall -                       TCP      -           0x0
10.5.100.8                                             -                                                                       -                                               10/17/2008 9:44:27 PM  3589     0          0          0          0x0       -           10/17/2008 2:44:27 PM  10.5.100.8            10.5.10.1           Initiated Connection        1745     -           Microsoft Firewall Client (UDP)                0x0 ERROR_SUCCESS                               Internal  Local Host         ISA01   Firewall -                       UDP     -           0x0
10.5.100.8         PROGRAM.EXE:3:5.0                              -                                                                       -                                               10/17/2008 9:44:39 PM  3590     14093   18129   3915     0x0       -           10/17/2008 2:44:39 PM  10.5.100.8            1.1.1.1           Closed Connection         443       -           HTTPS  Test     0x80074e21 FWX_E_ABORTIVE_SHUTDOWN                       CFS\Username      Internal  External            ISA01   Firewall -                       TCP            -           0x0
10.5.100.8                                             -                                                                       -                                               10/17/2008 9:45:27 PM  3589     60000   3156     1374     0x0       -           10/17/2008 2:45:27 PM  10.5.100.8            10.5.10.1           Closed Connection         1745     -           Microsoft Firewall Client (UDP)                0x80074e20 FWX_E_GRACEFUL_SHUTDOWN                                 Internal  Local Host         ISA01   Firewall -                       UDP     -            0x0
0
victornegriAuthor Commented:
I installed the latest ISA 2006 Service Pack and everything started working after that. Thanks for your help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.