[isalist] Re: SSL-tunnel - Failed Connection Attempt
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 22 May 2007 09:08:12 -0500
http://www.ISAserver.org
-------------------------------------------------------
ClearTunnel :)
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Tuesday, May 22, 2007 8:58 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> There can be no caching of SSL Tunneled traffic; ISA can't see it, so
> ISA can't cache it. Never let anyone tell you otherwise.
> Regarding the errors, if you get a network capture while making these
> tests, you can prove conclusively which entity (site or ISA) is
> delivering the content.
>
> NetMon 3 can capture multiple interfaces simultaneously.
>
> Get a capture and we'll see what we see...
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Amy Babinchak
> Sent: Tuesday, May 22, 2007 5:07 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Dave,
>
> The message you are describing is coming from the site
> itself, not from
> ISA. ISA can't display a page that Acer doesn't ask it to. You
> definitely have it cached someplace.
>
> Amy
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of David Freeman
> Sent: Monday, May 21, 2007 9:33 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> More information needed...
>
> I click the "ShopAcer" link and get a new browser with the following:
>
> The Site is currently down. Please try again soon. Acer SYSOP.
>
> When I go to https://www.apec.acer.com.au/ and log in using my normal
> u/p etc I get the following:
>
> The Site is currently down. Please try again soon. Acer SYSOP.
>
> When I go to http://www.service.acer.com.au/aarc and log in using my
> normal u/p etc I get the following:
>
> The Site is currently down. Please try again soon. Acer SYSOP.
>
> At the same time, I can go to
> https://toolbox.iinet.net.au/cgi-bin/volumegraphs.cgi and log in using
> my normal u/p and it works.
>
> I can also access Internet banking sites and other sites that
> use login
> credentials.
>
> I have rebooted the server and it made no difference.
>
> My network is like this:
>
> - Internet via ADSL to a LinkSYS router (NAT router)
> - an 'external' network that I use to plug in computers I'm repairing
> in my workshop
> - ISA/SBS with SBS having dual NIC's into an 'internal' network where
> my business workstations live
>
> If I plug a PC into the 'external' network the above things work
> normally.
>
> I've tried talking to the folks at Acer and they claim there's no
> problems at their end. Given that I also have no problems
> when outside
> ISA I tend to accept this.
>
> Access to Acer's various sites is pretty much business-critical so I'm
> really getting hassled by staff here. I really don't want to move
> workstations on to the 'external' network so I'm trying to understand
> what is going on.
>
> I ran a query in ISA while running the above tests and aside
> from seeing
> SSL-tunnel failing to connect I didn't see any denied connections or
> errors showing. My filter was basically for a log record type of
> firewall or web proxy filter with a client IP of the workstation I'm
> doing the testing on. I've tested using both IE (v6) and
> Firefox. I'm
> satisfied that the workstation I'm testing on is working normally but
> have also tested with similar results on two other workstations.
>
> Hope that offers a little more information...
>
> David
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > Sent: Tuesday, 22 May 2007 10:58 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > What happens when you click Shop Acer? For me a new window
> > is launched
> > and it's http, not https. Given this I would be looking
> > first at browser
> > settings.
> >
> > Amy
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of David Freeman
> > Sent: Monday, May 21, 2007 8:32 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] SSL-tunnel - Failed Connection Attempt
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > Hi All
> >
> > I'm running ISA 2004 on an SBS 2003 (not R2) box.
> >
> > There haven't been any changes to the server for the past 30 days.
> >
> > In the past two weeks, a web site that we use stopped
> working (their
> > end, was offline then came back online). Since they came
> back online
> > we've been unable to access the site.
> >
> > I set up a workstation outside my ISA protected network and
> > tested - the
> > site will load normally. It does not load inside the ISA protected
> > network.
> >
> > I set up a filter for one of my workstations and attempted
> > to connect to
> > the site. The only failure I'm seeing is for a port 443
> > connection. It
> > identifies the protocol as SSL-tunnel and has an action of "Failed
> > Connection Attempt". ISA identifies the rule as "SBS
> Internet Access
> > Rule".
> >
> > My current "SBS Internet Access Rule" is set to allow HTTP
> and HTTPS
> > from all protected networks to external networks for SBS
> > internet users.
> >
> > There are no problems accessing other sites using HTTPS (including
> > internet banking sites) from ISA protected workstations, only this
> > particular site.
> >
> > Just been checking with other staff here - the exact same
> > error can be
> > seen by going to http://www.acer.com.au/ and selecting the
> "ShopAcer"
> > link on the left hand side (actual site I'd noted the
> problem with is
> > Acer's wholesale e-commerce site).
> >
> > Any assistance or ideas on how to proceed very much appreciated.
> >
> > Aside from adding a couple of rules for Citrix my ISA 2004
> is running
> > pretty much vanilla default rules set up as part of the
> SBS install.
> >
> > David
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > --
> > ExchangeDefender Message Security: Click below to verify
> authenticity
> > http://www.exchangedefender.com/verify.asp?id=l4M0oh1g001079&;
> > from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> --
> ExchangeDefender Message Security: Click below to verify authenticity
> http://www.exchangedefender.com/verify.asp?id=l4MBxKhe007624&f
> rom=amy@ha
> rborcomputerservices.net
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
