Q1 - What HTTP response does your app report when it fails? Q2 - have you considered using WinHTTP in your VB app? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ <http://isaserver.org/Jim_Harrison/> http://isatools.org <http://isatools.org/> Read the help / books / articles! ------------------------------------------------------- ________________________________ From: tim S [mailto:tim724342@xxxxxxxxx] Sent: Monday, February 28, 2005 11:23 To: [ISAserver.org Discussion List] Subject: [isalist] Need help with packet filters http://www.ISAserver.org Hi, I have ISA 2000 running on windows 2003 server. I am baffled as to why ISA behaves this way. I have a simple VB application that makes a request to an external website that uses SSL and requires authentication. The client is firewall and secureNAT. HTTP redirector sends all web requests to webproxy service. If I type the URL in the browser, I can get to the site after authenticating at the external webserver. But if I let the application make the web request, it hangs up. Here are my logs (all the fields are logged): Firewall Log:(as a firewall client) 10.1.0.88 = client IP number , 64.14.x.x = remote webserver ------------------------------------------------- 10.1.0.88 user1 URLapp.exe:3:5.1 N 2005-02-28 19:01:23 fwsrv ISA1 - - 64.14.x.x 443 4500 - - 443 TCP Connect 0 All outbound Allow rule Firewall Log:(as a secure NAT client) ----------------------------------------------------- 10.1.0.88 - - N 2005-02-28 19:05:41 fwsrv ISA1 - - 64.14.81.x.x 4546 - - 443 TCP Connect 0 All outbound Allow rule 10.1.0.88 - - N 2005-02-28 19:05:41 fwsrv ISA1 - - 64.14.x.x 443 4546 70 - 443 TCP Connect 20000 All outbound Allow rule Packet filter log:(just remove the payload field) -------------------- 2005-02-28 18:39:55 163.x.x.x 64.14.x.x Udp 1708 137 - BLOCKED 163.x.x.x 45 2005-02-28 18:39:55 163.x.x.x 64.14.x.x Udp 1709 137 - BLOCKED 163.x.x.x 45 2005-02-28 18:39:56 163.x.x.x 64.14.x.x Udp 1708 137 - BLOCKED 163.x.x.x 45 2005-02-28 18:39:56 163.x.x.x 64.14.x.x Udp 1709 137 - BLOCKED 163.x.x.x 45 2005-02-28 18:39:57 163.x.x.x 64.14.x.x Udp 1708 137 - BLOCKED 163.x.x.x 45 2005-02-28 18:39:57 163.x.x.x 64.14.x.x Udp 1709 137 - BLOCKED 163.x.x.x 45 2005-02-28 18:39:58 163.x.x.x 64.14.x.x Udp 1708 137 - BLOCKED 163.x.x.x 45 163.x.x.x = IP number of the ISA's external NIC 64.14.x.x = the remote webserver that requires authentication and SSL encryption. I can't figure out why in the work the ISA server is using the port 137 instead of 443 to connect to the remote webserver. I tried disabling firewall client, but same result. However, I tried this application using another ISA server as a gateway from the same client. The application didn't have any problem connecting. It's this particular ISA server that has problem. Any help is greatly appreciated. Thanks __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.