http://www.ISAserver.org ------------------------------------------------------- ClearTunnel :) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Tuesday, May 22, 2007 8:58 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt > > http://www.ISAserver.org > ------------------------------------------------------- > > There can be no caching of SSL Tunneled traffic; ISA can't see it, so > ISA can't cache it. Never let anyone tell you otherwise. > Regarding the errors, if you get a network capture while making these > tests, you can prove conclusively which entity (site or ISA) is > delivering the content. > > NetMon 3 can capture multiple interfaces simultaneously. > > Get a capture and we'll see what we see... > > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Amy Babinchak > Sent: Tuesday, May 22, 2007 5:07 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt > > http://www.ISAserver.org > ------------------------------------------------------- > > Dave, > > The message you are describing is coming from the site > itself, not from > ISA. ISA can't display a page that Acer doesn't ask it to. You > definitely have it cached someplace. > > Amy > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of David Freeman > Sent: Monday, May 21, 2007 9:33 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt > > http://www.ISAserver.org > ------------------------------------------------------- > > More information needed... > > I click the "ShopAcer" link and get a new browser with the following: > > The Site is currently down. Please try again soon. Acer SYSOP. > > When I go to https://www.apec.acer.com.au/ and log in using my normal > u/p etc I get the following: > > The Site is currently down. Please try again soon. Acer SYSOP. > > When I go to http://www.service.acer.com.au/aarc and log in using my > normal u/p etc I get the following: > > The Site is currently down. Please try again soon. Acer SYSOP. > > At the same time, I can go to > https://toolbox.iinet.net.au/cgi-bin/volumegraphs.cgi and log in using > my normal u/p and it works. > > I can also access Internet banking sites and other sites that > use login > credentials. > > I have rebooted the server and it made no difference. > > My network is like this: > > - Internet via ADSL to a LinkSYS router (NAT router) > - an 'external' network that I use to plug in computers I'm repairing > in my workshop > - ISA/SBS with SBS having dual NIC's into an 'internal' network where > my business workstations live > > If I plug a PC into the 'external' network the above things work > normally. > > I've tried talking to the folks at Acer and they claim there's no > problems at their end. Given that I also have no problems > when outside > ISA I tend to accept this. > > Access to Acer's various sites is pretty much business-critical so I'm > really getting hassled by staff here. I really don't want to move > workstations on to the 'external' network so I'm trying to understand > what is going on. > > I ran a query in ISA while running the above tests and aside > from seeing > SSL-tunnel failing to connect I didn't see any denied connections or > errors showing. My filter was basically for a log record type of > firewall or web proxy filter with a client IP of the workstation I'm > doing the testing on. I've tested using both IE (v6) and > Firefox. I'm > satisfied that the workstation I'm testing on is working normally but > have also tested with similar results on two other workstations. > > Hope that offers a little more information... > > David > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > > Sent: Tuesday, 22 May 2007 10:58 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > What happens when you click Shop Acer? For me a new window > > is launched > > and it's http, not https. Given this I would be looking > > first at browser > > settings. > > > > Amy > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of David Freeman > > Sent: Monday, May 21, 2007 8:32 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] SSL-tunnel - Failed Connection Attempt > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > Hi All > > > > I'm running ISA 2004 on an SBS 2003 (not R2) box. > > > > There haven't been any changes to the server for the past 30 days. > > > > In the past two weeks, a web site that we use stopped > working (their > > end, was offline then came back online). Since they came > back online > > we've been unable to access the site. > > > > I set up a workstation outside my ISA protected network and > > tested - the > > site will load normally. It does not load inside the ISA protected > > network. > > > > I set up a filter for one of my workstations and attempted > > to connect to > > the site. The only failure I'm seeing is for a port 443 > > connection. It > > identifies the protocol as SSL-tunnel and has an action of "Failed > > Connection Attempt". ISA identifies the rule as "SBS > Internet Access > > Rule". > > > > My current "SBS Internet Access Rule" is set to allow HTTP > and HTTPS > > from all protected networks to external networks for SBS > > internet users. > > > > There are no problems accessing other sites using HTTPS (including > > internet banking sites) from ISA protected workstations, only this > > particular site. > > > > Just been checking with other staff here - the exact same > > error can be > > seen by going to http://www.acer.com.au/ and selecting the > "ShopAcer" > > link on the left hand side (actual site I'd noted the > problem with is > > Acer's wholesale e-commerce site). > > > > Any assistance or ideas on how to proceed very much appreciated. > > > > Aside from adding a couple of rules for Citrix my ISA 2004 > is running > > pretty much vanilla default rules set up as part of the > SBS install. > > > > David > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > -- > > ExchangeDefender Message Security: Click below to verify > authenticity > > http://www.exchangedefender.com/verify.asp?id=l4M0oh1g001079&; > > from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > -- > ExchangeDefender Message Security: Click below to verify authenticity > http://www.exchangedefender.com/verify.asp?id=l4MBxKhe007624&f > rom=amy@ha > rborcomputerservices.net > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx