ISA Server 2004: SSL Port 44300 Error

[Punkrulz]

I have a user who is attempting to access a secure area on his college's website from our network. The website is the following:

https://admin9.rowan.edu:44300

Unfortunately, whenever he attempts to access the page, he gets the following error message:

  Quote

Network Access Message: The page cannot be displayed

Technical Information (for Support personnel)

? Error Code: 502 Proxy Error. The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. (12204)

? IP Address: 192.168.1.1

? Date: 8/8/2007 8:55:36 PM

? Server: ------------------------ (Masked for protection)

? Source: proxy

I was looking around ISA, and I found the section that lists all protocols. I did not see any for SSL, whether it's 443 or 44300. I attempted to add this protocol so it would be allowed, and unfortunately that did not work.

Can someone help me add this so the user can get to the website? Monitoring his connection does not reveal any blocked or denied messages, just says failed connection. He can continue to access the website from home which leads me to believe that there are no problems being experienced with that particular domain.

Thanks!

[bobbba]

is the web site on your network? if it isn't, this is to do with an outgoing web request with your ISA being used as a web proxy.

I would start by looking at your outgoing web rules on ISA.

[TurboTuna]

SSL Should be listed in the protocols. Goto Edit and then add the corresponding port into the ports section.

I don't have ISA to hand atm, so my answer is very rough.

[Punkrulz]

  TurboTuna said:

SSL Should be listed in the protocols. Goto Edit and then add the corresponding port into the ports section.

I don't have ISA to hand atm, so my answer is very rough.

Tuna,

I have discovered that while SSL is not listed in the protocol section, everything I need is contained under HTTPS. Unfortunately, it appears that even while logged in as the administrator, when I attempt to edit a stock protocol on ISA, it does not allow me. The options to Add, or even edit existing ports on a protocol are greyed out. They only become visible when I create a new protocol. I've already attempted to access a new rule granting all outbound access being used on port 44300, and that still fails.

[bobbba]

I just tried it on ours. Looks like the only way to do it is adding it as a new protocol. What appears under ISA monitoring when you try it this way?

[Punkrulz]

Original Client IP	Client Agent	Authenticated Client	Service	Server Name	Referring Server	Destination Host Name	Transport	MIME Type	Object Source	Source Proxy	Destination Proxy	Bidirectional	Client Host Name	Filter Information	Network Interface	Raw IP Header	Raw Payload	Source Port	Processing Time	Bytes Sent	Bytes Received	Result Code	HTTP Status Code	Cache Information	Error Information	Log Record Type	Log Time	Client IP	Destination IP	Destination Port	Protocol	Action	Rule	Client Username	Source Network	Destination Network	HTTP Method	URL
0.0.0.0	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)	No	Proxy	TWP-ISA		admin9.rowan.edu	TCP			-	-		-		-	-	-	0	1	1168	228		12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy service is denied. 	0x0	0x0	Web Proxy Filter	8/16/2007 11:59:37 AM	192.168.1.1	192.168.1.1	44300	SSL-tunnel	Denied Connection		anonymous			CONNECT	
0.0.0.0	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)	No	Proxy	TWP-ISA		admin9.rowan.edu	TCP			-	-		-		-	-	-	0	1	548	332		5 	0x0	0x0	Web Proxy Filter	8/16/2007 11:59:37 AM	192.168.1.1	192.168.1.1	44300	SSL-tunnel	Failed Connection Attempt		anonymous			CONNECT	
0.0.0.0	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)	Yes	Proxy	TWP-ISA		admin9.rowan.edu	TCP		Internet	-	-		-		-	-	-	0	0	1135	0		12204 The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. 	0x0	0x80	Web Proxy Filter	8/16/2007 11:59:37 AM	192.168.1.1	192.168.1.1	44300	SSL-tunnel	Failed Connection Attempt		DEPTFORD\Administrator				admin9.rowan.edu:44300
0.0.0.0	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)	Yes	Proxy	TWP-ISA		admin9.rowan.edu	TCP		Internet	-	-		-		-	-	-	0	0	1135	0		12204 The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. 	0x0	0x80	Web Proxy Filter	8/16/2007 11:59:37 AM	192.168.1.1	192.168.1.1	44300	SSL-tunnel	Failed Connection Attempt		DEPTFORD\Administrator				admin9.rowan.edu:44300

[+BudMan MVC]

It always seems to be edu's that do crap like this - for no reason I can think of other than their sites are put together by students most of the time! Or people that have no real world exp..

Not everyone is allowed unfiltered access to every single outbound port, many many companies, schools, internet cafe's, etc.. can an do block/filter non standard port ranges.. ie we only allow http, https, ftp -- an then a few specific ports to specific IP ranges, etc.. So if you want to ensure that everyone can access your website -- run in on the STANDARD freaking ports! ;)

I have run into issues quite a bit with lame as school sites running on non standard ports.. So I feel your pain! here this is how you allow for other SSL tunnel ports by setting the FPCTunnelPortRange object

http://www.microsoft.com/technet/isa/2004/...unnelports.mspx

Managing Tunnel Port Ranges

Also this KB directly states the issue your having;

http://support.microsoft.com/kb/283284

Blank page or page cannot be displayed when you view SSL sites through ISA Server

When you view a trace from a client behind ISA Server that points to Web Proxy, the following error message may appear:

HTTP/1.1 502 Proxy Error (The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.)

But to be honest if this was not DIRECTLY work related - I would suggest the user access this non work related site on their own time, from their own internet connection ;)

[Punkrulz]

  BudMan said:

It always seems to be edu's that do crap like this - for no reason I can think of other than their sites are put together by students most of the time! Or people that have no real world exp..

Not everyone is allowed unfiltered access to every single outbound port, many many companies, schools, internet cafe's, etc.. can an do block/filter non standard port ranges.. ie we only allow http, https, ftp -- an then a few specific ports to specific IP ranges, etc.. So if you want to ensure that everyone can access your website -- run in on the STANDARD freaking ports! ;)

I have run into issues quite a bit with lame as school sites running on non standard ports.. So I feel your pain! here this is how you allow for other SSL tunnel ports by setting the FPCTunnelPortRange object

http://www.microsoft.com/technet/isa/2004/...unnelports.mspx

Managing Tunnel Port Ranges

Also this KB directly states the issue your having;

http://support.microsoft.com/kb/283284

Blank page or page cannot be displayed when you view SSL sites through ISA Server

When you view a trace from a client behind ISA Server that points to Web Proxy, the following error message may appear:

HTTP/1.1 502 Proxy Error (The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.)

But to be honest if this was not DIRECTLY work related - I would suggest the user access this non work related site on their own time, from their own internet connection ;)

Hehe thanks Bud. Unfortunately while I agree with you, this user is also the boss, so it has to work!!!

Per other suggestions, I began looking for a script that can change the range of the SSL port or add another port that manages it. Unfortunately I began to run into some problems, when I found a GUI version of the script that does this. The script itself is isa_tpr.js, which can be downloaded from isatools.org. Unfortunately the gui version would always crash, and would actually take out internet accessibility for all of the users.

Added the port, didn't work... and people lost internet. Took the port back out, internet went down again and wouldn't come back up. I restarted the server. Sure enough, without having the port added in there, now I only have a rule that says 44300 is accessible with everything else, users are able to access the site now... go figure. I'm not sure what really fixed the problem besides the restart, just one of those things that I guess I got lucky on!