• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2798
  • Last Modified:

ISA Server 2006 SP1 Enterprise using non-standard SSL port

I have been using ISA Server 2006 for about 2.5 years. I am trying publish a web site using HTTPS://sitename.domain.com:1443. I am using the same port 1443 on the listening end and the internal server. I have the same SSL (self-signed by our CA) cert in ISA and the internal host.  I can connect to the internal host. When connecting via ISA it report the following error:
10061 No connection could be made because the target machine actively refused it.
I know the internal host is will accept connection on HTTPS and 1443.

It appears possible to set up SSL using 1443 in the bridging and listener.
0
banjo1960
Asked:
banjo1960
  • 6
  • 4
  • 3
2 Solutions
 
dfxdeimosCommented:
If you go in the properties of the publishing rule and go to the "Bridging" tab, you can check the box next to "Redirect requests to SSL Port:" and then put the 1443 port in there.

That should take the standard SSL requests on port 443 and bridge them to that non standard port.
0
 
banjo1960Author Commented:
I thought I was setting it to listen on 1443 and send to the back end on 1443. Can you please see the attached showing my bridging and listener config?  Thanks!
isa-config.zip
0
 
Keith AlabasterCommented:
www.isatools.org - pick the isa2006 then use the tunnel port range extender by jim harrison.

Download the .js file and save it on the c:\ drive of the ISA.
drop out to a c:\ prompt using start - run - cmd on the ISA box or wherever on the ISA server you ended up putting the file
type in:
isa_tpr.js /add port1433 1443

follow the little prompts and exit

stop and restart the ISA firewall services or reboot the ISA box. job done

keith
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
dfxdeimosCommented:
Yes, those seem to be the correct settings.

Have you installed the certificate on the ISA tab? If you are going to be modifying the traffic (by bridging it) the ISA server is going to have to have the certificate installed on it.
0
 
dfxdeimosCommented:
@ Keith_Alabaster

Can you explain why he would need to use a "tunnel port range extender" third party tool, and couldn't use native bridging?
0
 
banjo1960Author Commented:
The SSL cert is installed on the ISA and the internal web server.
0
 
banjo1960Author Commented:
I am picking this up monday morning. Thanks for the help.  I read about a tunnel port extender for 2004 but did not think it was required.  I am open to that if it must be done for this to run.
0
 
Keith AlabasterCommented:
for SSL, ISA only supports 443 natively, regardless of the rules you put in. The port range tunnel extender is exactly what it says - it extends the port range allowed to create an SSL tunnel. the option I gave is for a single port but you could just as easily have used:

isa_tpr.js /add newports 1433 1700 and this would now allow ssl on all ports between 1433 - 1700 plus 443 of course. just remember to stop and restart all the ISA services or just reboot the box afterwards otherwise it will not take effect.
0
 
Keith AlabasterCommented:
Jim Harrison is the Microsoft's primary System Engineer for ISA Server. If you ever log a call that the Technet team or the guys on the end of a Microsoft incident cannot resolve then if you are very, very lucky it might get escalated to Jim.
The tool works for ISA2004 and ISA2006

Third - party tool? That tool is a mainstay of ISA support used within Microsoft for this exact issue when people report that they cannot use SSL ports outside of the default 443.

Whether it will fix the issue for inbound publishing rules is open for debate - I have only used it for outbound but hey, your call. I have been wrong before and probably will in the future so you can take my advice and see if it helps or leave it; up to you completely :)

Keith
ISA MVP/MCT
0
 
dfxdeimosCommented:
Thanks for the explaination.

Third party tool is an appropriate description of it, it doesn't have a negative connotation to it and simply means "someone other than the principals".
0
 
banjo1960Author Commented:
I plan to try the tool today. I will post an update.  Thanks.
0
 
banjo1960Author Commented:
I ran the js as you describe. I restarted each ISA server. I ran it with the /show option just to verify. The connection still fails. I see something else.  The internal connection is doing at GET to HTTP instead of HTTPS: The ISA log is below:

Failed Connection Attempt GCSISA02 4/20/2009 3:47:29 PM
Log type: Web Proxy (Reverse)
Status: 10061 No connection could be made because the target machine actively refused it.  
Rule: web publishing
Source: External (10.50.0.105)
Destination: (lawsonoutside.greenville.k12.sc.us 10.1.0.20:1443)
Request: GET http://lawsonoutside.greenville.k12.sc.us/punchout/ 
Filter information: Req ID: 0201b4be  
Protocol: https
User: anonymous
0
 
banjo1960Author Commented:
Thanks for helping me verify the ISA rule config and pointing  me to the isatools.org js for adding the port range. In the process we also had a backend server problem which we resolved.  The application works.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now