• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 326
  • Last Modified:

Cannot surf any https sites on IE or Firefox on SBS 2008 server

We have an SBS Server 2008 running Exchange, DNS, AD and File services.  WSUS was taken off this server and is being used on another server and only updates client PC's.

When trying to get MS updates for this server, we get the 80072efd error.  After this, we found that in IE or Firefox, https sites like https://www.google.ca simply will not come up and we get the standard connection error and option to run Windows Network Diag's.  Running the Windows Network Diag says that there is a firewall in place somewhere blocking 443 access, even though the test site (Google.ca) can be pinged, and nslookup does resolve it.

The weird thing is http can be searched in both browsers.

I tried resetting IE, Firefox, both netsh for winsock and TCP stack, firewall is off on the server, everything else is fine but still https will not come up.  We use a Sonicwall TZ205 but there does not appear to be any blocks in place for it to get https traffic, and it does have a rule for its OWA port and that does work.

Need your help folks.  At a loss as to what to do.  Could it have been WSUS when removed broke the https access?  I did follow the MS KB's on removing the WindowUpdate AU from registry, but it was not there to start with.  No other servers or PC's have this issue, only the SBS 2008 server.  Tried to reinstall WSUS from the Roles and get same error as the updates basically, since it is looking for updates via https!

Your help is very much appreciated.

DG
0
AFIN
Asked:
AFIN
  • 10
  • 7
  • 4
  • +2
1 Solution
 
AFINAuthor Commented:
Edit:  I forgot to mention that http sites are fine.

DG
0
 
strivoliCommented:
What happens when you run the command (open the Command Prompt before) "telnet www.google.com 443"?
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
>> can be pinged, and nslookup does resolve it.
Neither ping nor nslookup use port 443 so this gives you no information.

80072efd means that Windows Update cannot contact the MS update site though port 443

Both browser and update error message point to the same issue: port 443 is blocked somewhere.

Were there any recent changes on your Sonicwall? Can you check its logs? It's most likely a firewall issue.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Davis McCarnOwnerCommented:
I'd look in the event viewer for any failures, especially security related ones in the system log.
0
 
BrandonProject Manager, IT Systems and Software DesignCommented:
Very strange since this is an outgoing flow it should be allow/allow any/any all/all on your router by default.

Check that this is still in place.

In the Sonicwall appliance, click FIREWALL>ACCESS RULES.
I like to click the matrix view and select LAN on the left and wan at the top (traffic from your network to the internet).
You probably have one entry that is any any any allow all enabled.

If you have anything else, copy it in here and that might help find the blocking culprit.
0
 
AFINAuthor Commented:
Hi all.  Sorry for late reply.

strivoli - I do the telnet and I a connection timeout that it could not connect.

Gerwin Janson - Logs show nothing.  This is very weird, and I am inclined to think it may be a firewall somewhere but I am lost as to what in particular is causing it.  WSUS was removed on this SBS some time ago as it is running on another server and may have broken it somehow, but http works fine, just https doesn't.

Brandon - Indeed, the SonicWall has the LAN to WAN rule of any any any allow all enabled.

Thx for your help guys.  Any more suggestions?
0
 
BrandonProject Manager, IT Systems and Software DesignCommented:
Ok, saw a few entries with other people stating the same thing you have...tries these if you have not already. Of course, these are dealing directly with the DNS on the box and not the firewall.

http://support.microsoft.com/kb/2508835  (doesn't mention sbs, but might be the original poster for this was on SBS2008)

http://support.microsoft.com/kb/968372
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Is there some way you can bypass that SonicWall for a short test? So you can rule out (or not) if the issue is with the SonicWall or not.
0
 
AFINAuthor Commented:
Brandon - thanks for those links.  However, they do not apply to this situation and I did try restarting DNS and clearing cache, etc.  This server is the AD and DNS for the LAN and provides the external internet traffic for the LAN just fine.  It is only itself that cannot get https traffic.  

Gerwin Jansen - I was thinking the same thing.  Put in a test router that is completely stripped of any firewall settings accept the minimum and see if https works then.  Then I would know if its the SonicWall or the server.  That may take some time to do as I am not the principle tech assigned to the client, but will suggest it.

Having said all of this, is there a tool that will show me EXACTLY how or where the block is occurring, if indeed there is a firewall type block somewhere?  The Diagnose Connection Problems IE8 throws me after failing to reach https says that it is most likely a firewall block somewhere even though it can ping https://www.google.ca, for instance.  That would be helpful.

Thanks again.

DG
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
ping does not give you any information as I mentioned before.

Try a telnet:

telnet www.google.ca 443

what message or error do you get?
0
 
BrandonProject Manager, IT Systems and Software DesignCommented:
On your sonicwall you can go to SYSTEM>PACKET MONITOR and enter a configuration to watch your wan port for your server's IP with 443 or https traffic.

Then start the capture and surf to a few https sites. You'll see what the status is and this will at least tell you if the firewall is even receiving the requests.

For poops and giggles I'd still change the DNS server settings to use forwarders instead of root hints to see if the root hint bug is actually on your SBS server.
0
 
AFINAuthor Commented:
Gerwin Jansen - telnet to www.google.ca 443 cames back with "could not open a connection to the host on port 443. Connect failed."

Brandon - I did as you said and captured some traffic using the SonicWall monitor.  Http traffic shows up from the server, but absolutely no https traffic, like its not even hitting the SonicWall.  I have been using Forwarders all along and not root hints.

Thanks again for your input.

DG
0
 
AFINAuthor Commented:
Update:  Called SonicWall support and had them verify that the router is OK and nothing strange is happening.  When you open a http site and watch the packet monitor, traffic is fine.  When https, it does not even get to the router, no traffic.

If i use the internal owa from the server using https, no problem.  I am at a loss.

DG
0
 
Gerwin Jansen, EE MVETopic Advisor Commented:
Can you connect using PuTTY to the SonicWall?

If so, can you try and telnet from the SonicWall  to www.google.ca 443?
0
 
AFINAuthor Commented:
Gerwin - I can ssh using Putty to the Sonicwall but the telnet command does not work.  Says no matching command was found.  I can ping and traceroute, but there is no telnet command.

DG
0
 
BrandonProject Manager, IT Systems and Software DesignCommented:
Try this, but make sure you have no users using any internal sites including OWA links.

Open IIS on the SBS server and disable it. Totally shut down IIS. Do a restart (I would suggest you disable the IIS services).

Try HTTPS traffic. There might be some type of config issue within the SBS IIS that is capturing all HTTPS traffic from the system itself.

Another really strange thing, try restarting all routers and switches between your server and our modem. Also restart the modem...sounds funny but it could also be an issue.
0
 
BrandonProject Manager, IT Systems and Software DesignCommented:
Silly but you might want to run this tool and see if it finds anything.

http://www.microsoft.com/en-us/download/details.aspx?id=15556
0
 
AFINAuthor Commented:
Brandon - Apparently they had been through a planned power outage where all things you mentioned were shutdown and rebooted.  I am having the usual tech reboot the ISP modems for good measure anyways.  

Also, I did install the analyzer tool and it found nothing really wrong, some old accounts here and there that need to be removed, but nothing that would affect network or https traffic.

Thanks however.

DG
0
 
BrandonProject Manager, IT Systems and Software DesignCommented:
How about the IIS?
0
 
AFINAuthor Commented:
Brandon - I will not be able to test the IIS theory as this is in production and will have to schedule downtime.  For giggles I did try shutting down WWW in services with same result.

D
0
 
AFINAuthor Commented:
Hi all.

I decided to try a web proxy.  there is freeware called ccProxy that can run on a XP or 7 PC, etc.   For up to 3 users, you can use this as a proxy for web browsing.  I created a new Win 7 VM on the old ESX host and activated it with my own TechNet license.  It is not part of the domain, it is a stand alone with nothing - not even MS updates.  Installed ccProxy.  It has zero configuration needed.

Went on the problem server and changed the Connection properties for both IE and FF to point to this ccProxy .

Tried a https site like google.ca, and it works.  I then tried MS updates, and they work.

Conclusion - It is not the router but the OS.  Something is breaking traffic calls out for https traffic, but a proxy circumvents this so it does not use the local BMLDC OS.

I have not tried shutting down IIS yet or anything, but do you have any ideas after this?

thanks for all you help so far.

DG
0
 
Davis McCarnOwnerCommented:
34 days ago, I posted:
"I'd look in the event viewer for any failures, especially security related ones in the system log"
0
 
BrandonProject Manager, IT Systems and Software DesignCommented:
My last few posts are about the OS and particularly the SBS server settings.
I would revisit this...even though you said they do not apply, they just might and it wouldn't hurt anything.

http://support.microsoft.com/kb/2508835  (doesn't mention sbs, but might be the original poster for this was on SBS2008)

http://support.microsoft.com/kb/968372
0
 
AFINAuthor Commented:
It was a good work around.
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 10
  • 7
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now