Re: SSL Bridging Fun
- From: Tony Lou <lout@xxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 16 Jul 2002 10:24:16 +1000
Hi Jim,
Thanks for your response.
In answer to your question, sort of.
Our external domain name is "fpa.asn.au",
Our internal is "nt.fpa.asn.au".
Also, I do have an entry in the hosts file on the ISA server pointing to the
internal address of the web server. A ping from the command prompt on the
ISA server confirms that it resolves to the internal address.
Thinking about it last night, I've come to realise that it may in fact be
working for the outside world, but not for us internally because all of our
clients point to the ISA server for DNS, (which then forwards external bound
to our ISP's DNS servers).
Therefore an internal client will see the "loop" error, whereas the outside
presumably wouldn't? This is what I'll be testing in the next hour.
Would appreciate a pointer to information on "split DNS structures".
Particularly as we'll be moving to active directory and Exchange 2000 soon
which, as I understand it, will require the use of our external domain name
internally as well.
Cheers, and Thanks,
Tony Lou
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, 15 July 2002 11:00 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: SSL Bridging Fun
http://www.ISAserver.org
ISA is resolving the web server name to its own external IP address (thus
the proxy chain loop msg).
As stated in the article, you'll need to help ISA resolve the name to the
proper internal IP using either a hosts file entry or a 'spoof' DNS entry.
This is another argument for a split DNS structure.
You aren't using the same internal domain name as you use externally, are
you?
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: Tony Lou
To: [ISAserver.org Discussion List]
Sent: Sunday, July 14, 2002 11:52 PM
Subject: [isalist] SSL Bridging Fun
http://www.ISAserver.org
Hi all,
Having an issue with SSL bridging which is driving me spare. Would
appreciate some assistance from any who have come out winners in this area.
We have a Web server (W2K, IIS) running on our internal network.
Published through ISA on standard ports (ie, HTTP - 80, SSL - 443)
A Verisign Certificate installed on both IIS and ISA.
I have worked through this document;
(http://www.isaserver.org/pages/articles.asp?art=157) to the letter.
The problem seems to relate to this line in the document;
9.15 "On the Rule Action window select "Redirect the request to this
internal Web server"
9.16 "Make sure you enter the name of the internal web site being published
(not the IP address or internal server name). This is the same as the
certificate.
NOTE: Make sure the ISA server can resolve this name to the internal Web
servers IP address.The external DNS servers will resolve the published Web
site name to the external IP address of the ISA server but the ISA server
needs to resolve the name to the internal published Web server. You may have
to create a HOST file locally on the ISA server to resolve the name to the
internal Web server IP address"
If I enter the "Web Site name" I get this error generated by the ISA Server;
"The server has detected a proxy chain loop. This condition
might indicate a configuration problem in proxy server".
If I don't, and instead enter the internal IP address, all works fine except
that SSL doesn't bridge and I get this error instead;
"500 Internal Server Error - The target principal name is incorrect.
(-2146893022)
Internet Security and Acceleration Server"
Would deeply appreciate any assistance.
Thanks in Advance,
Tony Lou
This message contains privileged and confidential information. If you are not
the intended recipient you must not disseminate, copy or take any action in
reliance on it, and we request that you notify the FPA immediately. Any views
expressed in this message are those of the individual sender, except where they
are specifically stated to be the views of the FPA. For information about how
the FPA deals with personal information see the FPA Statement of Privacy Policy
on www.fpa.asn.au
This e-mail message has been scanned for Viruses and Content and cleared
by MailMarshal
For more information please visit www.marshalsoftware.com
Other related posts:
