Hi William, I haven't followed the thread as Tom was handling your issue. If I can take you back in time, those log entries are pretty clear to me: (first entry): the sc-result code is 10054. This is a Winsock response meaning the connection, although initially accepted (listener responded), the connection was dropped (reset) afterwards. Since this appears to be an SSL connection (SSL-tunnel), there may have been a problem in the SSL handshake. (second entry): the sc-result code is 12209. This is a proxy auth failure. Since there was no allowed traffic, there is no rule to quote. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Mon, 1 Dec 2003 09:05:36 +0200 "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Jim, it looks like Tom is probably getting some well deserved rest as I haven't seen a post from him for a few days now. Would you perhaps have any insight for me into the matter Tom highlighted with regards my SSL issue? See below for more info... -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: 26 November 2003 08:00 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Cannot access SSL sites http://www.ISAserver.org Hi Tom When you say users require "Full Access" to the SSL Server, how would you propose I implement this? I can think of no other way to do this other than giving these users access to a S&C rule that allows ALL destinations... and this doesn't make sense to me...? Your thoughts? -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 26 November 2003 00:45 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Cannot access SSL sites http://www.ISAserver.org Hi William, Users must have full access to the server to which they create an SSL connection because they cannot evaluate the path. If you have a path in the rule allowing them access, then the connection request fails. Even the dreaded /* can create this problem. HTH, Tom -----Original Message----- From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] Sent: Tuesday, November 25, 2003 8:06 AM To: [ISAserver.org Discussion List] Subject: [isalist] Cannot access SSL sites http://www.ISAserver.org Hi there I have some users who are "not allowed" to access the Internet. But being the nice guy I am I managed to get management to approve the "opening" of certain sites, such as the medical aid and pension scheme websites. So to do this I created an S&C rule to allow the necessary destination sets for all Domain Users. The trick with this is that the Medical Aid website works just fine, but the Pension website doesn't. I have now managed to figure out that the problem is related to the fact that the Pension website is an HTTPS secure site. In fact, any HTTPS site that I "open", the users keep getting prompted for their credentials, but any other HTTP website works just fine. Here are the excerpts from the WEB log (I've removed all the unnecessary info): Medical Aid <clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, 15:35:57, w3proxy, <FIREWALL>, -, www.sovhealth.co.za, 196.37.176.210, 80, 2953, 455, 0, http, TCP, GET, http://www.sovhealth.co.za/web/images/background.gif, image/gif, Inet, 10054, 0x801002, pWEB Protocols, scWEB - Free Sites Pension Scheme <clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, 15:35:58, w3proxy, <FIREWALL>, -, www.mebmac.co.za, -, 443, 0, 0, 0, SSL-tunnel, TCP, -, www.mebmac.co.za:443, -, Inet, 12209, 0x0, pWEB Protocols, - As you can see, the Pension website doesn't find a matching Rule 2 (Site & Content Rule), and this I cannot understand. Is it possible to declare HTTP and HTTPS website distinctions in the Destination Sets? Cheers William R. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')