Since you have users logging onto the server and thereby using its browser, you'll have to operate with that removed. IE "enhanced security" was intended to be a more restrictive browser *for servers*, since as a rule, they're not used as workstations. Clearly, a TS server is the exception to that rule. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of tim.altena@xxxxxxxxxxxxxx Sent: Thursday, December 28, 2006 6:17 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA and HTTPS Just an update, I have found a work around for this issue. I removed "Internet Explorer Enhanced Security Configuration" from my TS and everything started to work correctly. I am not sure yet what this changed so I will be researching this today. Thanks again Tim ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of tim.altena@xxxxxxxxxxxxxx Sent: Wednesday, December 27, 2006 4:59 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA and HTTPS Thanks for you response Jim, What I had meant by my statement was just that is was not a member of any of the domain groups that I created to use when controlling Internet access on the ISA server. I have unchecked this setting unfortunately I get the exact same error page. I am fairly certain that it was my FWC installation that enabled it. Is it possible that I modified the installation it unknowingly to do this? If I did I am not aware of how it occurred. I will be getting a capture in the morning and see if I can find anything. I will attempt to compare it to a capture of the same user after I make them a member of the domain group allowing access to the internet and see if I can find the difference. Thanks again Jim for your reply and assistance, Tim ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, December 27, 2006 4:19 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA and HTTPS The first thing you need to do is drop this idea: "and is not a member of any domain groups". *Every* account is a member of at least one group; possibly more, depending on your group policies and account creation processes. Now to the details: "The page cannot be displayed" - this the standard, useless "friendly" HTML error message. Unselect "friendly" anything in the advanced IE settings if you want something a bit more useful in the future. Unfortunately, this error could indicate anything from a failed wpad request to a rejected connection by the site itself. The IE configuration is pretty basic not much has been changed from the default configuration after installation except the changes made by the ISA firewall client installation which are that is sets the following: This is about as far from the default as you can get. "use a proxy server" is populated, but not enabled by the FWC installer. You should get a capture of the process from start to finish. I realize that some o it SSL, but the handshake process can often tell the tale. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of tim.altena@xxxxxxxxxxxxxx Sent: Wednesday, December 27, 2006 1:40 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA and HTTPS I hope I have provided enough detail here if not please let me know and I will give you more. Q1 - what is the user experience *details* for the failed requests? I have created a small HTML page with just links to the two sites in question and saved it on the desktop of the TS. If I open the page and click on the link to https://www.myflexonline.com <https://www.myflexonline.com/> the sites login page is displayed. If I then click on the link for the other site https://www.myretirementfuture.com <https://www.myretirementfuture.com/> the browser attempts to open that page for a few seconds and then gets an error page in IE that states the following: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. ________________________________ Please try the following: ß-- snip ---à Cannot find server or DNS Error Internet Explorer After doing this any HTTPS page they go to brings up this same error. Q2 - what does ISA live logging show for those requests? I have attached the log from that time I did have a filter to only show logs with the servers client IP Address. If more is needed I can provide. Q3 - how does the user log on to the TS server; local or domain credentials? The user logs onto the TS using a domain account. This account has no special permissions on the TS, and is not a member of any domain groups. Q4 - how is the browser configured (*details*)? The IE configuration is pretty basic not much has been changed from the default configuration after installation except the changes made by the ISA firewall client installation which are that is sets the following: Local Area Network Settings Automatically detect settings - checked Use automatic configuration script - checked http://oc05.vpinc.net:8080/array.dll?Get.Routing.Script (FQDN of my ISA server) Use a proxy server for your LAN - checked Addresss oc05.vpinc.net Port:8080 Bypass proxy for local addresses - checked Security Tab Internet Zone - security setting high Local intranet Zone - custom settings ( I did not change this from original install ) Trusted Sites - custom settings ( I did not change this from original install ) Sites added to this zone http://www.myflexonline.com <http://www.myflexonline.com/> https://www.myflexonline.com <https://www.myflexonline.com/> http://www.myretirementfuture.com <http://www.myretirementfuture.com/> https://www.myretirementfuture.com <https://www.myretirementfuture.com/> http://crl.geotrust.com <http://crl.geotrust.com/> Thanks Again Tim ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, December 27, 2006 3:03 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA and HTTPS Q1 - what is the user experience *details* for the failed requests? Q2 - what does ISA live logging show for those requests? Q3 - how does the user log on to the TS server; local or domain credentials? Q4 - how is the browser configured (*details*)? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of tim.altena@xxxxxxxxxxxxxx Sent: Wednesday, December 27, 2006 12:27 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] ISA and HTTPS I must be missing something really dumb but try as I might I can not find it. I have an ISA 2004 server running on Windows 2003. I have configured rules for access based on AD groups. Rule #1 allows one group has access to all external sites with HTTP, HTTPS, FTP, and a few other protocols. Rule #2 allows another group has access to a specified list of domains via HTTP and HTTPS. Rule #3 allows all authenticated users have access to a very short list of specified domains via HTTP and HTTPS, this same rule has an exception for a group of users that have all access to the internet denied. Rule #4 The default rule that denies access from anyone to everything. I have a user that is not assigned to any specific AD group that needs to access a site in the very short list of domains from Rule #3 (www.myretirementfuture.com <http://www.myretirementfuture.com/> ) This user can access this domain from any workstation on my domain both using HTTP and HTTPS, however when it connects to our Windows 2003 terminal server is can connect using HTTP but when they try to go to HTTPS it fails and they get an error in IE stating that the page can not be displayed. I can however go to another site https://www.myflexonline.com <https://www.myflexonline.com/> without any trouble, that is until I go to this site (https://www.myretirementfuture.com <https://www.myretirementfuture.com/> ) then I can not get to any HTTPS site after that. If I put this user in the AD group that allows access to any external sites this site works fine via HTTPS on the terminal server. I am not sure what I am missing in this equation, any help would be greatly appreciated. Oh the terminal server does have the Firewall Client installed on it, and I have tried it without the client installed. I also have added both the http and https versions of the domain to the trusted site list in IE on the terminal server. Thanks in advance, Tim All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.