?
Solved

SSL connextion problem to a site with ISA 2004

Posted on 2010-09-21
7
Medium Priority
?
1,149 Views
Last Modified: 2012-05-10
Hello,

I am trying to access this website https://www.ipayables.net/ but it fails from my local network. The 3 images never loads and same with the page.

I tried with firewall client disabled: does not work
I tried from my DMZ: it works
Tried from another network that does not passthrough our ISA 2004: it works

Everything points to my ISA 2004 SP3 server. I tried also from the ISA and it didn't work. When I try to access from the clients and check the ISA log I get the following:

Log type: Web Proxy (Forward)
Status: 995 The I/O operation has been aborted because of either a thread exit or an application request.  
Rule: Allow HTTP
Source: Internal ( 10.0.3.202:0)
Destination: External ( 64.79.162.158:443)
Request: www.ipayables.net:443 
Filter information: Req ID: 125c3bbc; Compression:None
Protocol: SSL-tunnel
User: anonymous
 Additional information
Client agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Object source: Internet Processing time: 0
Cache info: 0x0 MIME type:  

Is there anything I can do to fix this? BTW I have an access rule that allows traffic from Internal + localhost to the external for protocol HTTP + HTTPS.

Thank you
0
Comment
Question by:Vision_Globale
7 Comments
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 33730218
do you use a web fillter beside ISA server such as GFI web monitor, then you need to add that URL to a white list URLs.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33731920
Sounds like it may be using traffic in addition to http/https for that site as part of its startup in advance of the ssl tunnel being created.
open the rule up to allow all protocols rather than just http/https as a quick test.

If it then works then you will need to dig in to the log monitor to see what additional protocol you need to allow.

Remember to reduce your rule back to http/https + whatever the additional protocol required.
0
 

Author Comment

by:Vision_Globale
ID: 33734152
Looks like the problem was with the ISA cache...
I increased the size then reboot during out of office hours and the website was working.
Which brings me to my question... Do you still see a use to have the cache enabled on ISA?

I mean, back in the days when the Internet was slower I could understand that. Here we have a dedicated 100mbps line so I'm wondering if it is still needed...
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1000 total points
ID: 33736412
Personally I don't use it for the exact reason you state.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33736435
Might also be beneficial to run the ISA best practice analyser (not the FTMG version) to see if anything more untoward might have been present although a reboot would likely mask any other issues from the time of the problem.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 1000 total points
ID: 33738695
It may have just been the reboot that got it working and had nothing to do with the Cache size.

As far as caching,...I never use it ,...ever.   It is always left diabled (never configured to start with).   Speed difference might be debatable,...but what is a couple milliseconds among humans that cannot even perceive a couple Full seconds difference in anything anyway?  But communication is certainly more dependable and has fewer failure points when caching is not used
0
 

Author Closing Comment

by:Vision_Globale
ID: 33744265
Thank you
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question