[isalist] Re: Secure website issue
- From: "Andrew A Bruning" <abruning@xxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 27 Apr 2006 17:16:24 -0400
Ok, I have messed with this thing quite a bit, and now the log shows
HTTPS traffic being rejected by the default rule.
There are explicit rules in place to allow All Traffic from internal to
external.
I think I am missing something extremely obvious, just not seeing it.
TIA
Drew
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Andrew A Bruning
Sent: Tuesday, April 25, 2006 12:31 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Secure website issue
Sorry for the delay getting back to you on this, but I wanted to hit the
server with some traffic and review the logs.
I see an "initiated connection" for HTTPS, eventually it times out and
the connection is closed.
I also see in my sessions, in addition to the web proxy session for the
client PC, I see a secure nat session. Is that normal?
I will say that I did set the PC up as a secure nat client (set client
gateway to IP of ISA box) and web browsing and HTTPS worked without
issue. Changed things back to web proxy, HTTPS is a no go.
The delays in page loading have been figured out. Was a DNS issue,
easily handled.
Thanks for any suggestions Thor.
Drew
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Monday, April 24, 2006 5:31 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Secure website issue
What do the logs tell you?
t
On 4/24/06 2:22 PM, "Andrew A Bruning" <abruning@xxxxxxxxxx> spoketh to
all:
Yes, the allow all is number 1. Any ideas on what to investigate?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Steve Moffat
Sent: Monday, April 24, 2006 4:16 PM
To: ISA Mailing List
Subject: [isalist] Re: Secure website issue
Then there is something else wrong then. Is your allow all rule No1 in
the list?
If you can't get to ordinary HTTPS Sites with an allow all rule then
you'll need to investigate further as to why not.
S
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Andrew A Bruning
Sent: Monday, April 24, 2006 4:34 PM
To: ISA Mailing List
Subject: [isalist] Re: Secure website issue
Hi Steve;
I do believe I am. One of the rules currently in place is a wide open,
everything from everyone allowed, and it still doesn't work. I figured
if I could get it to work wide open, I could then restrict after the
fact.
Drew
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Steve Moffat
Sent: Monday, April 24, 2006 3:25 PM
To: ISA Mailing List
Subject: [isalist] Re: Secure website issue
Are you using the HTTPS protocol in your allow rules?
S
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Andrew A Bruning
Sent: Monday, April 24, 2006 4:14 PM
To: ISA Mailing List
Subject: [isalist] Secure website issue
Greetings list members;
I am in the process of bringing up an ISA 2004 Standard SP2 server
running on Win 2003 SP1(joined to the domain) to be used strictly as a
web proxy for internal clients. It is set up in edge mode.
I have created firewall access rules to allow outbound connections based
on Active Directory group membership. Internet U gets full access
except for a list of blocked URL's. Internet R gets access to an
allowed domain name list. Internet VR gets pretty much nothing, a
couple of allowed sites and the intranet.
Everything seems to be working, except for access to secure sites
(HTTPS). I have been lurking about the forums on the isaserver.org site
quite a bit lately and see some others with similar issues, but have yet
to glean the answer I need from any of the threads.
I have tried extending the SSL port range with the Port Range Extender
utility I found, but I think I am missing something way more basic. I
don't even get "page failed to load" messages. It seems like links to
secure pages are dead.
One other issue I will note; initial page loads seem inordinately long
sometimes. Once you are in, you can browse fine, but that first page
load almost seems to hang sometimes.
TIA
Drew
Other related posts:
