S3 browser through Microsoft forefront

I have several virtual machines whose network gateway is a Microsoft forefront server. I cannot connect to s3 storage from any of those machines.

The vm's are running server2012r2 or server2007r2, all with windows firewall completely turned off.

If I change a gateway to a Sonicwall firewall the problem goes away. I have a reason for NOT WANTING to use the Sonicwall for these machines, so that is NOT a solution to this question.

The forefront server has an outgoing rule all internal to all external all protocols all open. No malware rules are active on this connection.

Why can't I connect to s3 through the forefront firewall?  Thanks.
gateguardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sumeshbnrCommented:
Are you running proxy with ISA ? If yes try configuring proxy with the s3 storage client and then see what happens.

Could you see anything in the ISA log when accessing it ?

Most probably it is a source based IP block rule check all the rules and it source and destination networks .Might be the client you are trying is not in the list.
0
gateguardAuthor Commented:
Thanks for helping.

I did not set up a proxy when I installed Forefront.

Here are 3 log entries from the Forefront server, one after another (the source VM is 172.20.0.190, the program trying to connect to S3 storage is SQLBackupAndFtp):

Initiated Connection FIREFOREFRONT 11/27/2014 11:52:46 AM
Log type: Firewall service
Status: The operation completed successfully.  
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 172.20.0.90
 
Denied Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Web Proxy (Forward)
Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.  
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Request: 54.231.17.80:443
Filter information: Req ID: 0b7d416f; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https-inspect
User: anonymous
 Additional information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
 
Closed Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Firewall service
Status: Closed Connection
Rule: outgoing
Source: Internal (172.20.0.90:55521)
Destination: External (s3-1.amazonaws.com 54.231.17.80:443)
Protocol: HTTPS
 Additional information
Number of bytes sent: 0 Number of bytes received: 1054
Processing time: 63ms Original Client IP: 172.20.0.90
0
Shalom CarmelCTOCommented:
Here is your answer:

Denied Connection FIREFOREFRONT 11/27/2014 11:52:47 AM
Log type: Web Proxy (Forward)
Status: 12227 The name on the SSL server certificate supplied by a destination server does not match the name of the host requested.  

All is good at Amazon. I would turn off the ISA transparent proxy for the amazonaws.com domain.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.