RE: re : re RE: SSL High Port Publishing Issue

• From: "Jim Harrison" <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 17 Sep 2003 10:56:41 -0700

The problem is that the ISA Web Proxy needs to know if you want to support
non-standard HTTPS ports.
Get http://www.isatools.org/ssl_tpr_add.vbs
Edit it to accommodate the ports you want
Run it on the ISA
Restart the Web Proxy service.

ta-daa...

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message ----- 
From: "Craft, Steve" <SCraft@xxxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, September 17, 2003 06:55
Subject: [isalist] RE: re : re RE: SSL High Port Publishing Issue


http://www.ISAserver.org


I solved the problem.  It turns out that my *client* was behind an ISA
server, and it was set as the web proxy for the client, and it was munging
the IP/port.  Not using the web proxy in IE (or using Netscrape) to go
direct to the HTTPS high-port site works fine.

-----Original Message-----
From: Craft, Steve
Sent: Friday, September 12, 2003 9:53 AM
To: '[ISAserver.org Discussion List]'
Subject: re : re RE: SSL High Port Publishing Issue




I just found something new.  Maybe you can get me on the right track with
this.

I am logged onto the server that runs the SSL IIS site (Win2K/SP4).  It is a
firewall client, SNAT client, and uses the ISA box as the proxy server.  I
stopped using IE.  I pulled out my copy of WFetch, and used these settings:
 Verb - GET
 Host - 192.168.100.12
 Port - 37888
 Ver - 1.1
 Auth - Basic
 User - auser
 Pass - xxxxx
 Conn - Https

When I clicked "connect" my log output shows a sucessful authentication and
some result HTML.

When I added the Proxy information to the WFetch parameters, I got this:

WWWConnect::Close("192.168.100.12","37888")\n
closed source port: 2448\r\n
Proxy: WWWConnect::Connect("192.168.100.1","8080")\n
0x80090308 (The token supplied to the function is invalid): [slib]:
InitializeSecurityContextFailed
to negotiate secure connection with 192.168.100.12 - port 37888

I looked in my IE settings on the ISA box and it was set to use itself as
the proxy.  I removed that entry.  I added 2 new ISA packet filters "ISA
HTTP" and "ISA HTTPS" to let it go out of ports 80 and 443 direct.

Then on the ISA, I used IE to go to "https://192.168.100.12:37888"; and I can
connect successfully.

So part of the problem was the web proxying.

But I still can't use IE from an internet-based PC to "https:" to my
internal server on a high port.  Is there something special about SSL that
it requires secondary connections or something?  I have lots of SSH servers
behind ISA and I just server publish them and they work fine....






---orig
Subject: RE: SSL High Port Publishing Issue
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>

Hi Steve,
=20
SAFETY TIP:
Test from external client only and NEVER, I repeat NEVER use the browser on
the firewall. If you need to use a browser on the firewall, run it from the
pix ;-) =20

NOTICE:  This communication, including attachments, is information that is
confidential and may be privileged.  It constitutes non public information
intended to be conveyed only to the designated recipient(s).  If the reader
or recipient of this communication is not the intended recipient, an
employee or agent of the intended recipient who is responsible for
delivering it to the intended recipient, or if you believe that you have
received this communication in error, please notify the sender immediately
by return email and promptly erase this email including attachments without
reading or saving them in any manner.  The unauthorized use, dissemination,
distribution or reproduction of this email, including attachments, is
prohibited and may be unlawful.  Receipt by anyone other than the intended
recipient(s) is not a waiver of confidentiality or privilege by the sender.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

All mail from this domain is virus-scanned with RAV.
www.ravantivirus.com

^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*

Other related posts:

• » re : re RE: SSL High Port Publishing Issue
• » RE: re : re RE: SSL High Port Publishing Issue
• » RE: re : re RE: SSL High Port Publishing Issue
• » RE: re : re RE: SSL High Port Publishing Issue
• » RE: re : re RE: SSL High Port Publishing Issue

1. Home
2. isalist
3. Archive
4. 09-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---