We help IT Professionals succeed at work.

Receiving 504 Proxy Timeout Error when trying oto connect out to a HTTPS locked down URL

Medium Priority
2,878 Views
Last Modified: 2012-06-27
I am trying to connect out to a secured locked down https URL and receiving the following message on my browser:
Error Code: 504 Proxy Timeout. The connection timed out. For more information about this event, see ISA Server Help. (10060)
IP Address: 91.193.105.34
Date: 11/3/2011 12:49:15 PM
Server: hammett.THG.CO.UK
Source: proxy
============
This connection is being done from within the company building which currently has an ISA 2004 server acting as a Proxy Server/Gateway.

Two Questions:
Can you provide me with an example ISA 2004 Access Rule to allow access for All Internal Users to be able to connect out to https://fe-c.comte.......... please.

The website/coonection host have sent me the following email:
=======================
Hi All,

Any device that’s uses the proxy (8080 for web traffic) will require the bypass.

The reason it doesn’t work is due to all web traffic set to use 8080-http, our flights cluster/servers are setup to listen on port 8080-https also.

So when you hit http://www.google.co.uk, your machine talks out on port 8080 to the isa where it is then nat’d to port 80 (to work).

The issue is when your connect to ours on port 8080, the machine send this to the isa as http, which in turn is passed out of the network as port 80 and not port 8080.

I hope this helps.
===============
ALso, do I need to configure our internal DNS server with any kind of Host record to resolve this external https:// URL? If so can you provide me with an example of the type of DNS Record needed because I'm not sure which DNS internal Zone I should place the record, nor do I know what kind of record, Host/CName/etc to use.

Please find screen shots on the attached document.
In advance thank you for your support.
ISA-2004-https-Access-Rule.doc
Comment
Watch Question

Most Valuable Expert 2011

Commented:
You cannot use HTTPS and URL in the same sentence.

With HTTPS the URL is encrypted,...the Domain Name is not.  Therefore ISA can't see the URL to make decisions from it,...it can only make decisions on the Domain Name or the IP#.   So using URL Sets or anything else related strictly to URLs is simply not possible with HTTPS.  That is kinda the whole point of HTTPS,...to hide everything except the Domain Name from prying eyes, which includes the prying eyes of the Firewall or Proxy.
Most Valuable Expert 2011

Commented:
The website/coonection host have sent me the following email:
=======================
Hi All,

Any device that’s uses the proxy (8080 for web traffic) will require the bypass.

The reason it doesn’t work is due to all web traffic set to use 8080-http, our flights cluster/servers are setup to listen on port 8080-https also.

So when you hit http://www.google.co.uk, your machine talks out on port 8080 to the isa where it is then nat’d to port 80 (to work).

The issue is when your connect to ours on port 8080, the machine send this to the isa as http, which in turn is passed out of the network as port 80 and not port 8080.

I hope this helps.
===============


They are wrong on that.  Yes your browser does contact the ISA on 8080,...but that is a separate channel,...that has nothing to do with being able to reach a site on 8080.   Remember that a lot of other brands of proxy servers out on the market take their requests from browsers on port 80,...does that mean users can not go to sites running on 80??,...or course not.

Another thing they said that is wrong,...they said:

....out on port 8080 to the isa where it is then nat’d to port 80 (to work)

It is not NAT'ed,...not at all.  NATing and Proxy are two entirely and completely different technologies and completely different technical methods.  NATing simply does a translation on the IP# and then "routes" the Packet.  Proxying completely terminates the communication,..decapsulates the packets,...does whatever processes or inspections on the payload that it is configured to do,...then generates completely new packets,...starts a completely new communication session to the destination and sends the new packets.

You're welcome to forward my entire post to them if you wish.
Most Valuable Expert 2011

Commented:
....out on port 8080 to the isa where it is then nat’d to port 80 (to work)

Furthermore NATing has nothing to do with ports.  NATing only effects IP#,...that's it,...never the Ports.
Most Valuable Expert 2011

Commented:
I just tried to go to https://fe-c.comte with my ISA and it got there just fine,..no special hoops to jump through and no cartwheels to flip.  However the server being contacted has a problem with it's cetificate.   Here is the result I got back.

This Connection is Untrusted
 
You have asked Firefox to connect
securely to fe-c.comte, but we can't confirm that your connection is secure.

Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
     
If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.
       
Technical Details

fe-c.comte uses an invalid security certificate.
The certificate is only valid for the following names:
  *.opendns.com , opendns.com  

(Error code: ssl_error_bad_cert_domain)

If you understand what's going on, you
can tell Firefox to start trusting this site's identification.
Even if you trust the site, this error could mean that someone is
tampering with your connection.

Don't add an exception unless
you know there's a good reason why this site doesn't use trusted identification.


           
Most Valuable Expert 2011

Commented:
Yet another problem with them,...not with you,...with them

our flights cluster/servers are setup to listen on port 8080-https also.


HTTPS is not allowed on 8080.  It is only allowed on 443

ISA has locked HTTPS to only 443 because of the security issues of it being used on some other "odd-ball" ports.   MS's decision to do this is based on this material.  See Section "5. Security Considerations" if you're looking at the first two articles:

SSL Tunneling; Informational RFC
http://lists.w3.org/Archives/Public/ietf-http-wg-old/1997SepDec/0142.html

Tunneling SSL Through a WWW Proxy
http://muffin.doit.org/docs/rfc/tunneling_ssl.html

Vulnerability Note VU#150227
HTTP proxy default configurations allow arbitrary TCP connections
http://www.kb.cert.org/vuls/id/150227

However if you choose to you can have ISA allow HTTPS on a different port using this information:

283284 - Blank Page or Page Cannot Be Displayed When You View SSL Sites Through ISA Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;283284

Managing Tunnel Port Ranges
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/managingtunnelports.mspx

GUI Tool for managing Tunnel Port Ranges
http://www.isatools.org/tools.asp?Context=ISA2004


Most Valuable Expert 2011

Commented:
If those people are concerned about security they sure have a funny way of showing it,...first they use an invalid certificate for the spelling the domain name being used,...then they try to run SSL over an non-standard port which is considered a security violation by some.
Most Valuable Expert 2011
Commented:
Ok,...wow this is just going to go on forever.  
You said:
able to connect out to https://fe-c.comte.......... please.
But that is not correct,...it is supposed to be https://fe-c.comtec-europe.net/
I didn't realize that until I looked at your file attachment.  I do not normally look at file attachments.  If I need them I'll ask for them, but 90% of the time they aren't needed.  We usually do screen shots a JPGs so they are visible directly in the posts.  We could easily be in a position to not be able to open Word Documents

In those screen shots I have no idea what TC_FLT over TCP-8090 is supposed to be but that is not going to work over a Web Proxy Service.  The client machine must be a Firewall Client or a SecureNAT Client for that to work.
CTCRMInfrastructure Engineer

Author

Commented:
Hi
Valuable information received from you and very much appreciated. I have thrown many of your points across to the 3rd  party and we between us have resolved the connection issue. They made some firewall hanges there end and slightly reconfigured my ISA Rule but I think it's still not the correct way of doing things.

Thank you for your support.