Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Access denied when application tries to communicate over port 443

Posted on 2008-10-17
13
Medium Priority
?
2,794 Views
Last Modified: 2008-11-17
Our payroll application tries to communicate over 443 with the payroll server (outside the network) and we're getting access denied errors on the ISA logs. The firewall rule looks fine and I have recreated it with no success in resolving this problem. It looks like ISA is skipping over the rule I created.

Rule is: Allow All protocols from Internal to 1.1.1.1 by All Users.

Have tried to limit protocols to HTTP and HTTPS but that doesn't seem to make a difference either. What else can I try?

Here is the entry that fails (with some substitutions for IP and user names):

Original Client IP            Client Agent      Authenticated Client       Service  Referring Server Destination Host Name   Transport            HTTP Method    MIME Type        Object Source   Source Proxy    Destination Proxy          Bidirectional      Client Host Name    Filter Information            Network Interface           Raw IP Header   Raw Payload     GMT Log Time   Source Port            Processing Time            Bytes Sent        Bytes Received  Cache Information          Error Information            Authentication Server     Log Time           Client IP            Destination IP    Action   Destination Port URL      Protocol            Rule      Result Code      HTTP Status Code         Client Username            Source Network Destination Network            Server Name      Log Record Type
10.5.100.8         PROGRAM.EXE:3:5.0                              -                       TCP      -           -                                                                       -                                               10/17/2008 7:15:23 PM  3270     0          0          0          0x0       0x0       -            10/17/2008 12:15:23 PM 10.5.100.8         1.1.1.1            Denied Connection         443       -           HTTPS            [Enterprise] Default rule  0x800733f5 WSA_RWS_ERROR_ACCESS_DENIED                   CFS\Username      Internal            External            ISA01   Firewall
0
Comment
Question by:victornegri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 2

Assisted Solution

by:wcoka2
wcoka2 earned 2000 total points
ID: 22745329
Lets test something. What happend if you change the TO box that from IP 1.1.1.1 to "External", are you able to access?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745352
Will try. Unfortunately, I don't have access to the accounting program so I have to wait for an accounting user to try it.
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745388
OK. It worked. But what does that tell us? How can I fix it so that all users don't have access to everything now?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Expert Comment

by:wcoka2
ID: 22745411
I had an error like that and it was that more IPs needed permission, thats why I want to try first by allowing all external. At the logging what filters do you have? lest see which rule is denying access and to what IPs. Do you have any Action Filter?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745436
Yeah, action filter not equal to Connection Status. Will remove and try again.

Also have:
Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8
0
 
LVL 2

Expert Comment

by:wcoka2
ID: 22745462
Run the query again. and the since the rule is allowing all external you'll see some other IPs that need access too. Try it




0
 
LVL 10

Author Comment

by:victornegri
ID: 22745610
Nope. Still only shows that one IP.

Just a little background... we just installed ISA 2006 3 days ago. It seemed to be working properly the first day. Yesterday, one of the rules went screwy and I had to open that rule up to All Users. Today, this rule went nuts (granted we didn't know it didn't work until today because the accountants hadn't used it since the upgrade).
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745611
Thinking I'll install SP1 tonight and see if that has any effect.
0
 
LVL 2

Expert Comment

by:wcoka2
ID: 22745643
did you try the logging with the rule that allows all external or with just the access to the 1.1.1.1?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22745878
The rule is still set to allow all external. It still didn't' show anything new (other than the fact that the packets went through instead of being denied)
0
 
LVL 2

Expert Comment

by:wcoka2
ID: 22745989
what filters ae you using at the logging? Can you attach the result of the query from the logging to check it?
0
 
LVL 10

Author Comment

by:victornegri
ID: 22746405
The only filters I'm using are:

Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8

These are the results of the query:

Original Client IP            Client Agent      Authenticated Client       Service  Referring Server Object Source   Source Proxy            Destination Proxy          Bidirectional      Client Host Name           Filter Information            Network Interface           Raw IP Header          Raw Payload     GMT Log Time   Source Port       Processing Time            Bytes Sent        Bytes Received            Cache Information          Authentication Server     Log Time           Client IP            Destination IP    Action   Destination Port      URL      Protocol            Rule      Result Code      HTTP Status Code         Client Username            Source Network            Destination Network       Server Name      Log Record Type            MIME Type        Destination Host Name   Transport            HTTP Method    Error Information
10.5.100.8         PROGRAM.EXE:3:5.0                              -                                                                       -                                               10/17/2008 9:44:25 PM  3590     0          0          0          0x0       -           10/17/2008 2:44:25 PM  10.5.100.8            1.1.1.1            Initiated Connection        443       -           HTTPS Test     0x0 ERROR_SUCCESS             CFS\Username      Internal  External            ISA01   Firewall -                       TCP      -           0x0
10.5.100.8                                             -                                                                       -                                               10/17/2008 9:44:27 PM  3589     0          0          0          0x0       -           10/17/2008 2:44:27 PM  10.5.100.8            10.5.10.1           Initiated Connection        1745     -           Microsoft Firewall Client (UDP)                0x0 ERROR_SUCCESS                               Internal  Local Host         ISA01   Firewall -                       UDP     -           0x0
10.5.100.8         PROGRAM.EXE:3:5.0                              -                                                                       -                                               10/17/2008 9:44:39 PM  3590     14093   18129   3915     0x0       -           10/17/2008 2:44:39 PM  10.5.100.8            1.1.1.1           Closed Connection         443       -           HTTPS  Test     0x80074e21 FWX_E_ABORTIVE_SHUTDOWN                       CFS\Username      Internal  External            ISA01   Firewall -                       TCP            -           0x0
10.5.100.8                                             -                                                                       -                                               10/17/2008 9:45:27 PM  3589     60000   3156     1374     0x0       -           10/17/2008 2:45:27 PM  10.5.100.8            10.5.10.1           Closed Connection         1745     -           Microsoft Firewall Client (UDP)                0x80074e20 FWX_E_GRACEFUL_SHUTDOWN                                 Internal  Local Host         ISA01   Firewall -                       UDP     -            0x0
0
 
LVL 10

Accepted Solution

by:
victornegri earned 0 total points
ID: 22835806
I installed the latest ISA 2006 Service Pack and everything started working after that. Thanks for your help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question