Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

isa2004 blocking tunnelled ssl

Posted on 2010-11-30
14
1,305 Views
Last Modified: 2012-06-21
we have an application client that uses http80 then tunnels ssl. we had to rebuild our isa 2004. this is a state testing program. it is not working as the isa server is failing the connection. our isa server is an enterprise setup.  when i attempt to add a secure publishing web rule the isa server says that the enterprise rule does not allow this. i have been over the isa configuration and can not find anywhere that allows me to enable adding the rules. I also am not able to enable ssl tunneling.  anyone with direction it will be greatly apprecaited.  thanks
0
Comment
Question by:brianpcollins
  • 7
  • 6
14 Comments
 

Expert Comment

by:kn0wit
ID: 34242811
Not sure, but this might help:
(From ISAServer.org)
You can download the .NET application, ISATpre.zip file at http://www.isatools.org/ISAtrpe.zip (written by Steven Soekrasno) from the www.isatools.org site and install the application on the ISA firewall. This application provides an easy to use graphical interface that allows you to extend the SSL tunnel port range. Just enter the first port and last port you want to include in the SSL tunnel port range in the LowPort and HighPort text boxes and click the Add Tunnel Range button. Then click the Refresh button to see the new SSL tunnel port range in the list.
Note that if you have unbound the Web Proxy filter from the HTTP protocol, then Firewall and SecureNAT client connections made through the ISA firewall will not be redirected to the Web Proxy Filter. In this case, you can create a Protocol Definition for the alternate SSL port and then create an Access Rule allowing outbound access to that protocol.
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34242859
does it use 443 port for ssl is it another port?

can you get the session state.

isa console logs and reporting, logging tab.

what does it say if you capture the relevant traffic?
0
 

Author Comment

by:brianpcollins
ID: 34243610
thanks for the input. currently the isa server is configured as an enterprise, so adding a secure web publsing i have not been able to do. i have not been able to find the spot that allows you to check the box that addresses web presentation.  what i see when monitoring the firewall, is that the application uses http80 to start the connect, then attempts to do tunnelled ssl, and is at that point the isa server shows the ssl tunnel connection failed. i am hesistent to download a 3rd party program to configure the isa server. i do appreciate the suggestion however
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 10

Expert Comment

by:simonlimon
ID: 34243654
how is the application published as server publishing or web publishing rule?
0
 

Author Comment

by:brianpcollins
ID: 34244062
the application is a washington state online testing app. while monitoring isa traffic filtered on the ip# of the test pc, i see a connection to the external ip#, port 443 protocol=ssl-tunnel; action= failed connection attempt; rule = enterprise name-http; so. it appears that ssl tunnel protocol is not enabled on the entrprise http rule; i have been thru all the tabs on the properties of the enterprise http rule; action=allow; protocol=all outbound; from= local;allnetworks;private iprange; to=external;local;all networks;private iprange; condtion=all users
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34247038
Are you hosting or accessing this application?

From what I understand you are accessing it?
0
 

Author Comment

by:brianpcollins
ID: 34248701
The app is a client piece that accesses servers on the net. It has a test tab which goes out and verifies connectivity that is how I can trace traffic on ISA server
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34257403
Are you using a proxy server on the ISA?
0
 

Author Comment

by:brianpcollins
ID: 34258012
Pcs connect to a content filter the content filter connects to ISA. My testing has been pc to ISA. Currently the testing app is working there was a setting that affected ssl that I was able to adjust. I am still interested in understanding why ssl tunnel protocol shows failed connection. Thanks for your time
0
 
LVL 10

Expert Comment

by:simonlimon
ID: 34258080
There are several possibilities why it wouldn't work, maybe rule order. But the rule that denied it had "all protocols defined", so that is a dead end.

If you are using a web proxy, the client did not have secure proxy defined?

What did you change in SSL, maybe that is why it didn't work?
0
 

Author Comment

by:brianpcollins
ID: 34285637
thanks again for working wtih me on this...the app had a setting that says, use secure channel, unchecked that, the app stopped attemtping to tunnel ssl in the http 80 traffic and passed all it's tests. on the pc itself, we do not proxy ssl at all, nothing is entered in the connections settings option; this standalone app, picks up it's settings from ie; however you can manually override them; with the use secure option checked, this app will not function thru isa; isa denies with the ssl tunnel error..we did have the dc that hosted the isa enterprise config info, so we had to rebuild it from ground up, from memory; there is a good possiblity that we missed something...however as you pointed out...we are not blocking any protocols...we have only 1 rule in place; why does it not allow ssl tunnelling? everything have read talks about publsihsing a secure web app and enabling ssl tunneling, which is not what i think i need to do.  thanks again..
0
 
LVL 10

Accepted Solution

by:
simonlimon earned 500 total points
ID: 34285796
If I were you, It would attempt to capture the logs when a browser on the same computer tries to access to SSL page on the internet, try this page: https://encrypted.google.com/

Does it display it?

Compare that with the results above?
0
 

Author Comment

by:brianpcollins
ID: 34288727
Will do Tuesday and let you know. Thanks again
0
 

Author Closing Comment

by:brianpcollins
ID: 34354795
simonlimon thanks for the help.  the test of the google site showed a blocked ssl tunnel on the isa server.  I appreciate all your help.  i will be building a new isa server with a newer version.  I found a work around to make the app work. thanks again.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question