victornegri
asked on
Access denied when application tries to communicate over port 443
Our payroll application tries to communicate over 443 with the payroll server (outside the network) and we're getting access denied errors on the ISA logs. The firewall rule looks fine and I have recreated it with no success in resolving this problem. It looks like ISA is skipping over the rule I created.
Rule is: Allow All protocols from Internal to 1.1.1.1 by All Users.
Have tried to limit protocols to HTTP and HTTPS but that doesn't seem to make a difference either. What else can I try?
Here is the entry that fails (with some substitutions for IP and user names):
Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Authentication Server Log Time Client IP Destination IP Action Destination Port URL Protocol Rule Result Code HTTP Status Code Client Username Source Network Destination Network Server Name Log Record Type
10.5.100.8 PROGRAM.EXE:3:5.0 - TCP - - - 10/17/2008 7:15:23 PM 3270 0 0 0 0x0 0x0 - 10/17/2008 12:15:23 PM 10.5.100.8 1.1.1.1 Denied Connection 443 - HTTPS [Enterprise] Default rule 0x800733f5 WSA_RWS_ERROR_ACCESS_DENIE D CFS\Username Internal External ISA01 Firewall
Rule is: Allow All protocols from Internal to 1.1.1.1 by All Users.
Have tried to limit protocols to HTTP and HTTPS but that doesn't seem to make a difference either. What else can I try?
Here is the entry that fails (with some substitutions for IP and user names):
Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Authentication Server Log Time Client IP Destination IP Action Destination Port URL Protocol Rule Result Code HTTP Status Code Client Username Source Network Destination Network Server Name Log Record Type
10.5.100.8 PROGRAM.EXE:3:5.0 - TCP - - - 10/17/2008 7:15:23 PM 3270 0 0 0 0x0 0x0 - 10/17/2008 12:15:23 PM 10.5.100.8 1.1.1.1 Denied Connection 443 - HTTPS [Enterprise] Default rule 0x800733f5 WSA_RWS_ERROR_ACCESS_DENIE
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK. It worked. But what does that tell us? How can I fix it so that all users don't have access to everything now?
I had an error like that and it was that more IPs needed permission, thats why I want to try first by allowing all external. At the logging what filters do you have? lest see which rule is denying access and to what IPs. Do you have any Action Filter?
ASKER
Yeah, action filter not equal to Connection Status. Will remove and try again.
Also have:
Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8
Also have:
Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8
Run the query again. and the since the rule is allowing all external you'll see some other IPs that need access too. Try it
ASKER
Nope. Still only shows that one IP.
Just a little background... we just installed ISA 2006 3 days ago. It seemed to be working properly the first day. Yesterday, one of the rules went screwy and I had to open that rule up to All Users. Today, this rule went nuts (granted we didn't know it didn't work until today because the accountants hadn't used it since the upgrade).
Just a little background... we just installed ISA 2006 3 days ago. It seemed to be working properly the first day. Yesterday, one of the rules went screwy and I had to open that rule up to All Users. Today, this rule went nuts (granted we didn't know it didn't work until today because the accountants hadn't used it since the upgrade).
ASKER
Thinking I'll install SP1 tonight and see if that has any effect.
did you try the logging with the rule that allows all external or with just the access to the 1.1.1.1?
ASKER
The rule is still set to allow all external. It still didn't' show anything new (other than the fact that the packets went through instead of being denied)
what filters ae you using at the logging? Can you attach the result of the query from the logging to check it?
ASKER
The only filters I'm using are:
Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8
These are the results of the query:
Original Client IP Client Agent Authenticated Client Service Referring Server Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Authentication Server Log Time Client IP Destination IP Action Destination Port URL Protocol Rule Result Code HTTP Status Code Client Username Source Network Destination Network Server Name Log Record Type MIME Type Destination Host Name Transport HTTP Method Error Information
10.5.100.8 PROGRAM.EXE:3:5.0 - - 10/17/2008 9:44:25 PM 3590 0 0 0 0x0 - 10/17/2008 2:44:25 PM 10.5.100.8 1.1.1.1 Initiated Connection 443 - HTTPS Test 0x0 ERROR_SUCCESS CFS\Username Internal External ISA01 Firewall - TCP - 0x0
10.5.100.8 - - 10/17/2008 9:44:27 PM 3589 0 0 0 0x0 - 10/17/2008 2:44:27 PM 10.5.100.8 10.5.10.1 Initiated Connection 1745 - Microsoft Firewall Client (UDP) 0x0 ERROR_SUCCESS Internal Local Host ISA01 Firewall - UDP - 0x0
10.5.100.8 PROGRAM.EXE:3:5.0 - - 10/17/2008 9:44:39 PM 3590 14093 18129 3915 0x0 - 10/17/2008 2:44:39 PM 10.5.100.8 1.1.1.1 Closed Connection 443 - HTTPS Test 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN CFS\Username Internal External ISA01 Firewall - TCP - 0x0
10.5.100.8 - - 10/17/2008 9:45:27 PM 3589 60000 3156 1374 0x0 - 10/17/2008 2:45:27 PM 10.5.100.8 10.5.10.1 Closed Connection 1745 - Microsoft Firewall Client (UDP) 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN Internal Local Host ISA01 Firewall - UDP - 0x0
Log Record Type: Firewall or Web Proxy Filter
Log Time: Live
Client IP Equals 10.5.100.8
These are the results of the query:
Original Client IP Client Agent Authenticated Client Service Referring Server Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Authentication Server Log Time Client IP Destination IP Action Destination Port URL Protocol Rule Result Code HTTP Status Code Client Username Source Network Destination Network Server Name Log Record Type MIME Type Destination Host Name Transport HTTP Method Error Information
10.5.100.8 PROGRAM.EXE:3:5.0 - - 10/17/2008 9:44:25 PM 3590 0 0 0 0x0 - 10/17/2008 2:44:25 PM 10.5.100.8 1.1.1.1 Initiated Connection 443 - HTTPS Test 0x0 ERROR_SUCCESS CFS\Username Internal External ISA01 Firewall - TCP - 0x0
10.5.100.8 - - 10/17/2008 9:44:27 PM 3589 0 0 0 0x0 - 10/17/2008 2:44:27 PM 10.5.100.8 10.5.10.1 Initiated Connection 1745 - Microsoft Firewall Client (UDP) 0x0 ERROR_SUCCESS Internal Local Host ISA01 Firewall - UDP - 0x0
10.5.100.8 PROGRAM.EXE:3:5.0 - - 10/17/2008 9:44:39 PM 3590 14093 18129 3915 0x0 - 10/17/2008 2:44:39 PM 10.5.100.8 1.1.1.1 Closed Connection 443 - HTTPS Test 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN CFS\Username Internal External ISA01 Firewall - TCP - 0x0
10.5.100.8 - - 10/17/2008 9:45:27 PM 3589 60000 3156 1374 0x0 - 10/17/2008 2:45:27 PM 10.5.100.8 10.5.10.1 Closed Connection 1745 - Microsoft Firewall Client (UDP) 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN Internal Local Host ISA01 Firewall - UDP - 0x0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER