Another Possible Solution for Connection Problems to SSL Sites
We get a fair number of people asking about problems with connecting to SSL sites. In most cases, these problems are related to:
- The SSL site was configured to listen on a non-standard port
- Connections limits are exceeded, because each element is a separate session when using SSL
- Access rules are configured to allow paths to a specific SSL site, but not to the root. The ISA Firewall can’t see the paths in an outbound SSL tunnel, so if you don’t allow access to the entire site, then all connections to the SSL site are denied
However, there might be another problem if you haven’t updated your ISA Firewall. These days, there’s no reason to not keep your ISA Firewall updated, as ISA Firewall updates are part of the Microsoft Update option. This is a great security advantage over “hardware” firewalls or Blue Coat proxies, where you have to remember to update the Firewall or proxy and hope you don’t get nailed by the time the update for the non-ISA Firewall device is updated.
If you haven’t updated your ISA Firewall, you might have problems with SSL sites if:
- The ISA Firewall software isn’t completely up to date
- The client is configured as a Web proxy client
- The ISA Firewall’s Web listener is configured to use integrated authentication
- The Web proxy client hasn’t been configured to use HTTP 1.1 (you should always configure your Web proxy clients to use HTTP 1.1)
Updating the ISA Firewall will stop the problem. For more information check out the KB article at http://support.microsoft.com/kb/923766/en-us
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — Microsoft Firewalls (ISA)
Satya Says:
November 28th, 2006 at 3:34 pm
Hi Thomas, I am very impressed with your knowledge articles.I need your help to solve my problem.
We have ISA 2004 SP2 firewalls running on windows 2003.
We have configured ISA firewall on single NIC card server and it is running fine.Now I want to configure one more ISA server with identical configurartion which is also in same domain and netwrok subent.
I tried following steps
1. Right-click the name of the ISA01 Server computer, and click Back Up.Choosed Export user permission settings and Export confidential information while backup.
2)Opened backup .xml file and replaced the ISA01 server name with ISA02 server name.
3)Right-click the name of the ISA02 Server computer, and click Restore and selected overwrite and imporeted successfully .
All fire wall services started but , i got following configuraration errors.can you pls advise me if i followed correct procedurel.
Thanks in advance.
Satya.
Error is:
Microsoft Firewall encountered a failure. The failure occurred during reading of logging configuration because the configuration property msFPCLogFileDirectory of key SOFTWARE\Microsoft\Fpc\Storage\EffecTree2\Array-Root\Arrays\{D8F76304-0CCA-4A8C-A6BA-3150A28833C6}\Logs\Proxy-WSP is not valid. Use the source location 5.826.4.0.3443.594 to report the failure.
tjcarst Says:
December 5th, 2006 at 1:30 pm
Open the registry key in question and edit the msFPCLogFileDirectory to reflect where you want to store the logs. If your configs were not identical in drive letters and paths, you will see this error. I put my logs on my D: drive under ISALogs. So the DWORD value in my msFPCLogFileDirectory key is D:\ISALogs.
Thomas Shinder Says:
December 5th, 2006 at 1:33 pm
Hi TJ,
Thanks for the tip!
Tom
tjcarst Says:
December 5th, 2006 at 2:09 pm
I forgot to mention, you access this setting under Monitoring, Logging, Configure Logging, Options, and either ISALogs folder (in the ISA installation folder) OR This folder (specify your location).
Satya Says:
December 8th, 2006 at 2:00 pm
Thanks TJ,
But I already followed diffrent procedure like copying firewall,network,users and compuers rules individually from source to target server.It looks both server are now identical.But i am not sure this way we can make clone servers.
I am still looking for the correct procedure to clone ISA 2004 servers which are in same domain and subnet (not belongs to same array and not sharing storage).
Thanks.
D4 Says:
December 19th, 2006 at 1:17 pm
If only it was that easy, we get sporatic SSL 502 errors from sites our people have visited successfully numerous times. We moved redirected some users to a second ISA 2004 box and it worked and then it didn’t… We even upgraded one box to ISA 2006 and still it is unpredictable…could be good for days and then suddenly the 502 shows up again.
Athif Says:
July 18th, 2007 at 7:00 am
Hi,
I am using webproxy client with ISA 2006 and trying to access any SSL site but the request is denied with the following message;
Network Access Message: The page cannot be displayed
Technical Information (for Support personnel)
Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
IP Address: 10.16.17.140
Date: 7/18/2007 12:56:50 PM [GMT]
Server: ISA01-MN.sadad.com
Source: proxy
The same works on another ISA 2006 server. Any ideas??
TIA.
Tom Shinder Says:
July 18th, 2007 at 7:02 am
Check what rule blocked the connection.
HTH,
Tom
Athif Says:
July 18th, 2007 at 11:21 am
Default Enterprise Rule.
Athif Says:
July 21st, 2007 at 1:17 am
Any idea??
Athif Says:
July 22nd, 2007 at 10:20 am
Somehow it works on another ISA06 server…is there any specific configuration?!!
Tom Shinder Says:
July 22nd, 2007 at 11:53 am
What site is being blocked?
Athif Says:
July 23rd, 2007 at 11:05 pm
Other SSL sites work fine except the exchange OWA Webmail Server.
PaulS Says:
July 31st, 2007 at 3:55 am
Hi I have a similar problem but with ISA2006. I have had to recently rebuild my isa2006 server. I am using it for reverse proxy.
I have started to get the following error after setting up logging:
Microsoft Firewall encountered a failure. The failure occurred during reading of logging configuration because the configuration property msFPCLogFileDirectory of key SOFTWARE\Microsoft\Fpc\Storage\EffecTree1\Array-Root\Arrays\{4E14425E-260F-412C-B02B-805ED30BE332}\Logs\Proxy-WSP is not valid. Use the source location 5.875.5.0.5720.100 to report the failure. The error description is: Access is denied.
When I check the registry for the key mentioned I find it in another location. Why would this happen and how can I resolve it
regards
Paul
prasoon Says:
August 14th, 2007 at 5:19 am
hi
iam usinng isa ent 2006 server as proxy and firewall
web site like www.cnn.com,www.yahoo.com images not displaying correctly..
i enabled traffic only http,https,sql,smtp.pop3