RE: Internal Clients Unable to Access HTTPS Published Servers
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 27 May 2005 06:15:06 -0500
I have read that looping back through the ISA firewall to access
internal resources is one of the ISA firewall's venal sins.
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Friday, May 27, 2005 12:31 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Internal Clients Unable to Access HTTPS Published
Servers
http://www.ISAserver.org
Bad Jeff.
Don't force internal clients to use external publishing rules to hit
internal servers.
-----Original Message-----
From: Jeff B [mailto:jeff.butte@xxxxxxxxxxxxxxxxxxx]
Sent: Thursday, May 26, 2005 8:56 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Internal Clients Unable to Access HTTPS Published
Servers
http://www.ISAserver.org
I recently rebuild an W2K ISA 2000 server as W2K3 ISA 2004 due to a
hardware failure. It became a crash course in 2004 but within a few
short
hours nearly everything was working. The only problem I have been
unable
to solve is internal clients accessing HTTPS sites published by the ISA
2004 server. External and VPN clients are able to access the sites
fine.
Here is the config. Clients come inbound on the external interface of
the
ISA. SSL is terminated there and bridged over HTTP to the internal web
server
INTERNET=>HTTPS(443)=>ISA 2004=>HTTP(80)=>WEB SERVER
The only error I can find via the logs is:
WSA_RWS_ABORTIVE_SHUTDOWN
or FWX_E_ABORTIVE_SHUTDOWN 0x80074E21 A connection was abortively closed
after one of the peers sent a RST segment.
The clients on the internal network get terminated, they do not even see
the SSL cert served up.
WFETCH captures the following:
started....
WWWConnect::Close("<FQDN>","80")\n
closed source port: 1328\r\n
WWWConnect::Connect("<FQDN>","443")\n
0x2746 (An existing connection was forcibly closed by the remote host.):
[sockslib]: recv()
Failed to negotiate secure connection with <FQDN> - port 443
finished.
Thanks,
Jeff B.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
