Re: HTTPS; SSL-Tunnel

From: David (NOSPAMDavidGerst_at_anti-spam.tempco.com)
Date: 06/02/04 

Date: Wed, 2 Jun 2004 17:33:47 -0500

There clearly is a DNS problem... so, maybe I'm the wrong place, maybe I'm
not.

my client pc NIC is configured as such;

    ip address by DHCP
        Ip is an internal address on the internal network behind ISA
        gateway is set to the ISA internal NIC
        DNS is set to the Win2003 server on the inside of the network.
                The DNS server uses forwarding to our ISP DNS for external
addresses.

Gateway PC is configured as such;
    Internal NIC
       Static Ip
        No Gateway
        DNS points to the internal win2003 server

    External NIC
        Static IP
        Uses ISP gateway
        Uses ISP DNS servers

I should note that the client works perfectly fine with a majority of
websites. anyways, I do have a few problematic https websites. when I
leave the client configured as described above using the DNS from DHCP... I
get the page cannot be found DNS error. when I change only the DNS to a
manually inputted static IP address using the ISP DNS servers rather than
our internal server, the problematic website worked fine. It doesn't make
sense to me because using Nslookup I can resolve the problematic website I'm
going to by using the internal DNS server.

any thoughts are greatly appreciated. thanks in advance

"Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote in message
news:uWHe03MSEHA.2520@TK2MSFTNGP11.phx.gbl...
> Exactly how is IE configured?
> Those log entries show successful connections.
>
> ISA resolves names for browsers configured as web proxy clients, so if the
browser is complaining about "DNS Failure", it's likely
> that it can't resolve the proxy name.
>
> --
> Jim Harrison [ISASE]
> Read the help, books and articles!
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "David" <NOSPAMDavidGerst@anti-spam.tempco.com> wrote in message
news:%23jJOtSLSEHA.808@tk2msftngp13.phx.gbl...
> This is what was in the log. The error that comes up in web browser is
the
> Page Cannot Be Displayed, cannot find server or DNS Error. I'm thinking
it
> must be a DNS error, but the DNS error probably has something to do with
ISA
> blocking a DNS request?
>
> Original Client IP Client Agent Authenticated Client Service Server Name
> Referring Server Destination Host Name Transport MIME Type Object Source
> Source Proxy Destination Proxy Bidirectional Client Host Name Filter
> Information Network Interface Raw IP Header Raw Payload Source Port
> Processing Time Bytes Sent Bytes Received Result Code Cache Info Error
Info
> Log Record Type Log Time Client IP Destination Host IP Destination Port
> Protocol Action Rule Client Username Source Network Destination Network
HTTP
> Method URL
> 0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) No Proxy
GATEWAY
> peapps.milacron.com TCP Internet - - - - - - 0 0 8750 1490 0x3e3 0x0
> 0x808 Web Proxy Filter 6/2/2004 10:14:07 AM 172.16.0.113 192.67.157.135
443
> SSL-tunnel OFT Website anonymous Internal External
peapps.milacron.com:443
> 0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) No Proxy
GATEWAY
> peapps.milacron.com TCP Internet - - - - - - 0 0 60989 10088 0x0 0x0
> 0x800 Web Proxy Filter 6/2/2004 10:14:27 AM 172.16.0.113 192.67.157.135
443
> SSL-tunnel OFT Website anonymous Internal External
peapps.milacron.com:443
> 0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) No Proxy
GATEWAY
> peapps.milacron.com TCP Internet - - - - - - 0 0 201921 56750 0x0 0x0
> 0x800 Web Proxy Filter 6/2/2004 10:14:31 AM 172.16.0.113 192.67.157.135
443
> SSL-tunnel OFT Website anonymous Internal External
peapps.milacron.com:443
> 0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) No Proxy
GATEWAY
> peapps.milacron.com TCP Internet - - - - - - 0 0 7410 73226 0x0 0x0
0x800
> Web Proxy Filter 6/2/2004 10:14:33 AM 172.16.0.113 192.67.157.135 443
> SSL-tunnel OFT Website anonymous Internal External
peapps.milacron.com:443
> 0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) No Proxy
GATEWAY
> peapps.milacron.com TCP Internet - - - - - - 0 0 1395 256 0x3e3 0x0
0x808
> Web Proxy Filter 6/2/2004 10:13:56 AM 172.16.0.113 192.67.157.135 443
> SSL-tunnel OFT Website anonymous Internal External
peapps.milacron.com:443
> 0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) No Proxy
GATEWAY
> peapps.milacron.com TCP Internet - - - - - - 0 0 150 49152 0x0 0x0
0x800
> Web Proxy Filter 6/2/2004 10:14:35 AM 172.16.0.113 192.67.157.135 443
> SSL-tunnel OFT Website anonymous Internal External
peapps.milacron.com:443
>
>
>
> "Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote in message
> news:u6qZLoDREHA.1276@TK2MSFTNGP11.phx.gbl...
> > What's in the ISA web proxy logs for those requests?
> >
> > --
> > Jim Harrison [ISASE]
> > Read the help, books and articles!
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "David" <NOSPAMDavidGerst@anti-spam.tempco.com> wrote in message
> news:OdEx18BREHA.3140@tk2msftngp13.phx.gbl...
> > OK,
> >
> > I've even gone as far as giving cart-blanche access to the site and it's
> > still a no go. all protocols, all users, from internal to all external.
> I
> > know it's not a problem with the site because I can run through a
> different
> > gateway that does not have ISA on it and it works fine. now I'm really
> > baffled!
> >
> >
> >
> >
> > "Tony Su" <anonymous@discussions.microsoft.com> wrote in message
> > news:13a0201c44412$e50d2300$a001280a@phx.gbl...
> > > If you're accessing remote SSL sites using the standard
> > > port (443), you shouldn't be running into any special
> > > problems.
> > >
> > > If you're accessing an SSL site using a non-default port,
> > >
> > > http://support.microsoft.com/default.aspx?scid=kb;en-
> > > us;283284
> > >
> > > Tony Su
> > >
> > >
> > >
> > >
> > >
> > > >-----Original Message-----
> > > >Hi,
> > > >
> > > >I'm relatively new to this, so here goes...
> > > >
> > > >
> > > >I have ISA server setup to block all web traffic by
> > > default and I'm making
> > > >rules to allow traffic. This is working great for the
> > > HTTP protocol. The
> > > >problem I am running into is for HTTPS sites. Even
> > > though I have a rule
> > > >saying allow userx to go from the internal network using
> > > the HTTPS protocol
> > > >to destination setX, for some reason it's just not
> > > working. what am I
> > > >missing? I also see in the log files that it's using SSL-
> > > Tunnel.
> > > >
> > > >thanks!
> > > >
> > > >- david
> > > >
> > > >
> > > >.
> > > >
> >
> >
> >
>
>
>

Relevant Pages

  • Re: Internet Speed
    ... I think what we are trying to say is to use the DHCP from the SBS and NOT ... DNS and WINS point to the SBS. ... as the server IP address. ... it is recommend to configure all SBS client computers' IP and DNS ...
    (microsoft.public.windows.server.sbs)
  • Re: 70-294 next week
    ... to another DNS ... server for at least ... client, which then ... configuration on the client. ...
    (microsoft.public.cert.exam.mcse)
  • Re: Dual NIC vs Single NIC
    ... |> 135919 DNS Server Search Order Functionality in Windows ... Thank you for helping me to correct the misunderstand of DNS query ... Thank you again for your supplement about the client DNS cache issue. ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Dual NIC vs Single NIC
    ... I will again argue that turning off the client DNS cache (0 refresh ... 261968 Explanation of the Server List Management Feature in the Domain ... Internet when the SBS server is offline. ...
    (microsoft.public.windows.server.sbs)
  • RE: Dynamic Update of A&PTR Records - Best Practice?
    ... The DNS server does not support the DNS dynamic update protocol; ... For Windows Server 2003-based computers, the primary full computer name is ... When one of these events triggers a DNS update, the DHCP Client service, ...
    (microsoft.public.windows.server.dns)