I kept banging away at this and got some interesting findings. I published port 443 to the internal server using server publishing rules. When I did this I could see 443 traffic between the Web/app server and the ISA server in the firewall logs. The operation was listed as BIND so traffic was still not getting all the way out. I then turned off SSL listeners on the ISA server. After that the app works! I was excited but then a few thoughts came to mind. Without the SSL listeners enabled, is the traffic going to be encrypted still? Or have I just bypassed my encryption by opening the port rather that just allowing SSL listeners to handle the traffic. Steve -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Thursday, January 23, 2003 4:42 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Please help before i have no hair left http://www.ISAserver.org Hi Steve, Sounds similar to the old OWA problem. The client established an SSL connection with the Incoming Web Requests listener, but then the OWA site returned links that were HTTP. That didn't work since the user needed to connect to the Incoming Web Requests listener via HTTPS, not HTTP. You might want to investigate the Link Translator included in the Feature Pack 1 and see if that will help, or better, fix your app so that they establish an SSL connection from the start and don't bounce between secure and insecure. HTH, Tom www.isaserver.org/shinder -----Original Message----- From: Stephen Herrera [mailto:sherrera@xxxxxxxxxx] Sent: Thursday, January 23, 2003 4:54 PM To: [ISAserver.org Discussion List] Subject: [isalist] Please help before i have no hair left http://www.ISAserver.org I am installing WebDemo on a web server in my DMZ. I have a back to back ISA environment. The website for WebDemo is accessed on port 80 and the website passes you to port 443 for the application when you start it. For my LAN I have made a DNS entry that points to the internal IP of the web server when LAN clients go to www.myapp.com so they go straight to the server. I have a port listener on the web server and can see port 80 being hit when they view the website and then port 443 when the use the application. For outside clients I have followed the "Configuring SSL Bridging" tutorial to setup the web server and publish the website. I have made sure that when I ping www.myapp.com from the external ISA server the internal IP is returned. When I try from the outside I see port 80 being hit when I access the website but the pass to port 443 never happens. On the ISA server packet filter logs I see the external client requesting port 443 and I see the publish IP passing traffic back to external client but the traffic never gets to the web server. To test to make sure I have the SSL setup correctly I have stopped the services of the application so they would not use port 443 and changed the properties of the website to only accept SSL. When I do this I am able to access the website both from the outside and from the inside so I know it is setup correctly. I don't know why ISA will not the website pass the client off to the application on 443. Also, I can run the app from the outside firewall itself. Any thoughts on this? steve ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: sherrera@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')