RE: SSL Problems with ISA 2004
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 21 Jan 2005 09:18:08 -0500
Okay, here's my reasoning:
- I have multiple NICs for external networks (more than one ISP).
- Since I have multiple NICs, I setup a "Network" for each one of them,
listing the IP ranges that they should cover. On the one I wanted to
use as the primary connection, I started with 0.0.0.1 and went up to
255.255.255.254, skipping only the ranges I had in use on other NICs and
private address ranges.
- Since each "Network" had its own IP range, and they were all covered,
I couldn't leave any in the default External Network (routing conflict),
so all IP ranges were removed from it.
- Since I had multiple External Networks, I created one Network Set that
contained all of them, and changed all rules that had External as the
destination to the new Network Set I had created for External Networks.
- At this point, traffic flow should have been covered in all cases.
When a web request comes in, it is routed to the External Network Set,
and that set should pick the appropriate Network to send it to based off
of its IP address. So, since the default External Network wasn't
theoretically being used, I didn't include it in the External Network
Set.
- After working on this for a few hours, I could not figure out why it
was hitting the Default Firewall Policy and erroring out, finally I
added the default External Network to the External Network Set and it
worked. It was still being routed to the Default External Network
though, so I checked and found that IP was in the range posted as
"private". So, I went through and removed all the "private" ranges that
I had entered, leaving ONLY the IP ranges that were assigned to other
NICs excluded. This fixed the problem with this particular website.
- Out of curiosity about web requests being routed to the Default
External Network, I did a search back through the logs and found LOTS of
packets were routed there. So, I ran it for a few hours "live" watching
for anything routed to the External Network. Theoretically, there
shouldn't have been anything routed to it, but I found that a sizeable
amount of packets were routed to the Default External Network for some
reason. There were calls to many well-known domains being mis-routed,
including sites like Google, for which we have thousands of requests
being successfully routed daily, why do "some" of them slip past?
- I'll leave the Default External Network in as part of the External
Network Set I created, it shouldn't make much of a difference overall,
but the question still remains "Why should I have to include it?".
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Friday, January 21, 2005 08:14
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004
http://www.ISAserver.org
Hi Dan,
What makes you think this is a bug? I don't see anything in this thread
and even hints at that.
-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Friday, January 21, 2005 7:07 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004
http://www.ISAserver.org
I finally figured out the problem, had to add the "External" network to
the network set I was using for Internet access.
Even though the IP falls into the ranges routed to the proper "Network",
it seems that I have several calls a day that get routed to the External
network even there are no IP addresses associated with it.
I'd probably classify that as a software bug, in that we can have
thousands of web requests made to places like Google routed properly,
but a few manage to skip past the routing and hit the default "External"
network anyway.
-----Original Message-----
From: Steve Moffat [mailto:steve@xxxxxxxxxx]
Sent: Thursday, January 20, 2005 14:56
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL Problems with ISA 2004
http://www.ISAserver.org
I can get to the log on page no problem.
Steve
-----Original Message-----
From: Dan Ball [mailto:dball@xxxxxxxxxxx]
Sent: Thursday, January 20, 2005 2:39 PM
To: ISA Mailing List
Subject: [isalist] SSL Problems with ISA 2004
http://www.ISAserver.org
I'm having major difficulties with getting some SSL sites to work
through ISA 2004. For example, if I attempt to log on using the CEO
portal at Wells Fargo
(http://www.wellsfargo.com/com/ceo/ceoservices.jhtml), I get a
502 error. The firewall logs just show an SSL-Tunnel protocol attempt
being rejected by the Default Policy.
Other SSL sites work fine, so I'm theorizing that they are attempting to
use an alternate port for SSL. Anyone else having troubles like this?
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
This E-Mail is confidential. It is not intended to be read, copied,
disclosed or used by any person other than the recipient named above.
Unauthorised use, disclosure, or copying is strictly prohibited and may
be unlawful. Optimum IT Solutions Ltd disclaims any liability for any
action taken in connection of this E-Mail. The comments or statements
expressed in this E-Mail are not necessarily those of Optimum IT
Solutions Ltd or its subsidiaries or affiliates.
administrator@xxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
