The problem is that the ISA Web Proxy needs to know if you want to support non-standard HTTPS ports. Get http://www.isatools.org/ssl_tpr_add.vbs Edit it to accommodate the ports you want Run it on the ISA Restart the Web Proxy service. ta-daa... Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Craft, Steve" <SCraft@xxxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, September 17, 2003 06:55 Subject: [isalist] RE: re : re RE: SSL High Port Publishing Issue http://www.ISAserver.org I solved the problem. It turns out that my *client* was behind an ISA server, and it was set as the web proxy for the client, and it was munging the IP/port. Not using the web proxy in IE (or using Netscrape) to go direct to the HTTPS high-port site works fine. -----Original Message----- From: Craft, Steve Sent: Friday, September 12, 2003 9:53 AM To: '[ISAserver.org Discussion List]' Subject: re : re RE: SSL High Port Publishing Issue I just found something new. Maybe you can get me on the right track with this. I am logged onto the server that runs the SSL IIS site (Win2K/SP4). It is a firewall client, SNAT client, and uses the ISA box as the proxy server. I stopped using IE. I pulled out my copy of WFetch, and used these settings: Verb - GET Host - 192.168.100.12 Port - 37888 Ver - 1.1 Auth - Basic User - auser Pass - xxxxx Conn - Https When I clicked "connect" my log output shows a sucessful authentication and some result HTML. When I added the Proxy information to the WFetch parameters, I got this: WWWConnect::Close("192.168.100.12","37888")\n closed source port: 2448\r\n Proxy: WWWConnect::Connect("192.168.100.1","8080")\n 0x80090308 (The token supplied to the function is invalid): [slib]: InitializeSecurityContextFailed to negotiate secure connection with 192.168.100.12 - port 37888 I looked in my IE settings on the ISA box and it was set to use itself as the proxy. I removed that entry. I added 2 new ISA packet filters "ISA HTTP" and "ISA HTTPS" to let it go out of ports 80 and 443 direct. Then on the ISA, I used IE to go to "https://192.168.100.12:37888"; and I can connect successfully. So part of the problem was the web proxying. But I still can't use IE from an internet-based PC to "https:" to my internal server on a high port. Is there something special about SSL that it requires secondary connections or something? I have lots of SSH servers behind ISA and I just server publish them and they work fine.... ---orig Subject: RE: SSL High Port Publishing Issue From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx> Hi Steve, =20 SAFETY TIP: Test from external client only and NEVER, I repeat NEVER use the browser on the firewall. If you need to use a browser on the firewall, run it from the pix ;-) =20 NOTICE: This communication, including attachments, is information that is confidential and may be privileged. It constitutes non public information intended to be conveyed only to the designated recipient(s). If the reader or recipient of this communication is not the intended recipient, an employee or agent of the intended recipient who is responsible for delivering it to the intended recipient, or if you believe that you have received this communication in error, please notify the sender immediately by return email and promptly erase this email including attachments without reading or saving them in any manner. The unauthorized use, dissemination, distribution or reproduction of this email, including attachments, is prohibited and may be unlawful. Receipt by anyone other than the intended recipient(s) is not a waiver of confidentiality or privilege by the sender. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*