Wierd port for SSL

TheMSsForum.com: The Microsoft Software Forum

One of my co-workers is suffering some ISA woes. A vendor has a
ticketing program that starts with http traffic and slips to secure
transactions using port 8081. Yes the vendor chose to not use normal
ports. At the server is seems to work when you turn of the firewall
but does not work when ISA is fully functional. I wonder if the
packets start out leaving behind the firewall as port 80 traffic but
they try to send things back on another port so it gets rejected. I am
more than bit experienced with this kind of ISA so I am open to ideas
and education. Workstations do not work even thought the firewall
client is loaded. Well I am assuming the firewall client is loaded.

Jim B.
Top

Re: Wierd port for SSL by Susan

Susan
Wed Jul 09 22:11:34 CDT 2003

You should be able to open up the raw ISA log files and see the traffic
that is blocked/allowed.... then just poke a static hole if it needs
one....

jimbehning@mindspring.com wrote:

> One of my co-workers is suffering some ISA woes. A vendor has a
> ticketing program that starts with http traffic and slips to secure
> transactions using port 8081. Yes the vendor chose to not use normal
> ports. At the server is seems to work when you turn of the firewall
> but does not work when ISA is fully functional. I wonder if the
> packets start out leaving behind the firewall as port 80 traffic but
> they try to send things back on another port so it gets rejected. I am
> more than bit experienced with this kind of ISA so I am open to ideas
> and education. Workstations do not work even thought the firewall
> client is loaded. Well I am assuming the firewall client is loaded.
>
> Jim B.

Top

Re: Wierd port for SSL by Sam

Sam
Thu Jul 10 05:10:58 CDT 2003

Hi Jim,

I'm afraid Susan's answer is a bit short...

I had the same with an SSL site I had to configure on a
different port because of a lack of IP numbers.

I created a protocol definition in policy elements for
inbound TCP port 444 (in my case) and an outbound TCP port
444 protocol definition.

It is very important that your clients are firewall
clients, since otherwise they might be accessing the web
via anonymous access or proxy and the protocol definition
is not used: those PC's will not be able to see the site.

Pls check Chad's article on the client configuration in
smallbizserver.net or the articles on isaserver.org

Good luck,
Sam
>-----Original Message-----
>You should be able to open up the raw ISA log files and
see the traffic
>that is blocked/allowed.... then just poke a static hole
if it needs
>one....
>
>jimbehning@mindspring.com wrote:
>
>> One of my co-workers is suffering some ISA woes. A
vendor has a
>> ticketing program that starts with http traffic and
slips to secure
>> transactions using port 8081. Yes the vendor chose to
not use normal
>> ports. At the server is seems to work when you turn of
the firewall
>> but does not work when ISA is fully functional. I
wonder if the
>> packets start out leaving behind the firewall as port
80 traffic but
>> they try to send things back on another port so it gets
rejected. I am
>> more than bit experienced with this kind of ISA so I am
open to ideas
>> and education. Workstations do not work even thought
the firewall
>> client is loaded. Well I am assuming the firewall
client is loaded.
>>
>> Jim B.
>
>.
>
Top

Re: Wierd port for SSL by jimbehning

jimbehning
Thu Jul 10 06:47:22 CDT 2003

We shall try both suggestions today and post back results.

"Sam" <sam@grupoamengual.com> wrote:

>Hi Jim,
>
>I'm afraid Susan's answer is a bit short...
>
>I had the same with an SSL site I had to configure on a
>different port because of a lack of IP numbers.
>
>I created a protocol definition in policy elements for
>inbound TCP port 444 (in my case) and an outbound TCP port
>444 protocol definition.
>
>It is very important that your clients are firewall
>clients, since otherwise they might be accessing the web
>via anonymous access or proxy and the protocol definition
>is not used: those PC's will not be able to see the site.
>
>Pls check Chad's article on the client configuration in
>smallbizserver.net or the articles on isaserver.org
>
>Good luck,
>Sam
>>-----Original Message-----
>>You should be able to open up the raw ISA log files and
>see the traffic
>>that is blocked/allowed.... then just poke a static hole
>if it needs
>>one....
>>
>>jimbehning@mindspring.com wrote:
>>
>>> One of my co-workers is suffering some ISA woes. A
>vendor has a
>>> ticketing program that starts with http traffic and
>slips to secure
>>> transactions using port 8081. Yes the vendor chose to
>not use normal
>>> ports. At the server is seems to work when you turn of
>the firewall
>>> but does not work when ISA is fully functional. I
>wonder if the
>>> packets start out leaving behind the firewall as port
>80 traffic but
>>> they try to send things back on another port so it gets
>rejected. I am
>>> more than bit experienced with this kind of ISA so I am
>open to ideas
>>> and education. Workstations do not work even thought
>the firewall
>>> client is loaded. Well I am assuming the firewall
>client is loaded.
>>>
>>> Jim B.
>>
>>.
>>


Jim B.
Top

Re: Wierd port for SSL by dabutleronline

dabutleronline
Thu Jul 10 12:44:24 CDT 2003

Hi Jim,

Thank you for using Microsoft Technical Support Newsgroups.

You'll need to add a non-standard SSL port range to the registry. Follow
this article to do so:

283284 Page Cannot Be Displayed When You View SSL Sites Through ISA
http://support.microsoft.com/?id=283284

Be sure to use the VBScript listed in the article, just modify it with your
appropriate port range.

Once again, thank you for using the newsgroups.

Best Regards,



David Butler - MCSE NT4/2000
Microsoft Technical Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties,
and confers no rights.


Top

Re: Wierd port for SSL by jimbehning

jimbehning
Thu Jul 10 20:28:31 CDT 2003

That is what my co-worker found yesterday and implemented.

dabutleronline@microsoft.com (David Butler [MS]) wrote:

>Hi Jim,
>
>Thank you for using Microsoft Technical Support Newsgroups.
>
>You'll need to add a non-standard SSL port range to the registry. Follow
>this article to do so:
>
> 283284 Page Cannot Be Displayed When You View SSL Sites Through ISA
> http://support.microsoft.com/?id=283284
>
>Be sure to use the VBScript listed in the article, just modify it with your
>appropriate port range.
>
>Once again, thank you for using the newsgroups.
>
>Best Regards,
>
>
>
>David Butler - MCSE NT4/2000
>Microsoft Technical Support
>
>Get Secure! - www.microsoft.com/security
>
>=====================================================
>When responding to posts, please "Reply to Group" via
>your newsreader so that others may learn and benefit
>from your issue.
>=====================================================
>This posting is provided "AS IS" with no warranties,
>and confers no rights.
>


Jim B.
Top