Ok, I have messed with this thing quite a bit, and now the log shows HTTPS traffic being rejected by the default rule. There are explicit rules in place to allow All Traffic from internal to external. I think I am missing something extremely obvious, just not seeing it. TIA Drew ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew A Bruning Sent: Tuesday, April 25, 2006 12:31 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Secure website issue Sorry for the delay getting back to you on this, but I wanted to hit the server with some traffic and review the logs. I see an "initiated connection" for HTTPS, eventually it times out and the connection is closed. I also see in my sessions, in addition to the web proxy session for the client PC, I see a secure nat session. Is that normal? I will say that I did set the PC up as a secure nat client (set client gateway to IP of ISA box) and web browsing and HTTPS worked without issue. Changed things back to web proxy, HTTPS is a no go. The delays in page loading have been figured out. Was a DNS issue, easily handled. Thanks for any suggestions Thor. Drew From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Monday, April 24, 2006 5:31 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Secure website issue What do the logs tell you? t On 4/24/06 2:22 PM, "Andrew A Bruning" <abruning@xxxxxxxxxx> spoketh to all: Yes, the allow all is number 1. Any ideas on what to investigate? ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Steve Moffat Sent: Monday, April 24, 2006 4:16 PM To: ISA Mailing List Subject: [isalist] Re: Secure website issue Then there is something else wrong then. Is your allow all rule No1 in the list? If you can't get to ordinary HTTPS Sites with an allow all rule then you'll need to investigate further as to why not. S ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Andrew A Bruning Sent: Monday, April 24, 2006 4:34 PM To: ISA Mailing List Subject: [isalist] Re: Secure website issue Hi Steve; I do believe I am. One of the rules currently in place is a wide open, everything from everyone allowed, and it still doesn't work. I figured if I could get it to work wide open, I could then restrict after the fact. Drew ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Steve Moffat Sent: Monday, April 24, 2006 3:25 PM To: ISA Mailing List Subject: [isalist] Re: Secure website issue Are you using the HTTPS protocol in your allow rules? S ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] <mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Andrew A Bruning Sent: Monday, April 24, 2006 4:14 PM To: ISA Mailing List Subject: [isalist] Secure website issue Greetings list members; I am in the process of bringing up an ISA 2004 Standard SP2 server running on Win 2003 SP1(joined to the domain) to be used strictly as a web proxy for internal clients. It is set up in edge mode. I have created firewall access rules to allow outbound connections based on Active Directory group membership. Internet U gets full access except for a list of blocked URL's. Internet R gets access to an allowed domain name list. Internet VR gets pretty much nothing, a couple of allowed sites and the intranet. Everything seems to be working, except for access to secure sites (HTTPS). I have been lurking about the forums on the isaserver.org site quite a bit lately and see some others with similar issues, but have yet to glean the answer I need from any of the threads. I have tried extending the SSL port range with the Port Range Extender utility I found, but I think I am missing something way more basic. I don't even get "page failed to load" messages. It seems like links to secure pages are dead. One other issue I will note; initial page loads seem inordinately long sometimes. Once you are in, you can browse fine, but that first page load almost seems to hang sometimes. TIA Drew