Extending the ISA Firewall’s SSL Tunnel Port Range (2004)
by Thomas W Shinder MD, MVP
Discuss this article at http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=34;t=000081
The ISA firewall is both a network firewall and a Web Proxy server. The ISA firewall’s firewall components allow it to perform both stateful filtering (stateful packet inspection) and stateful application layer inspection. The ISA firewall’s Web Proxy components allow it to act as a CERN compliant HTTP 1.1 Web Proxy server. The Web Proxy components (implemented as a Web Filter in the 2004 ISA firewall) allow it to completely deconstruct HTTP communications to perform stateful application inspection and then reconstruct them before forwarding the connections to the destination Web server.
However, SSL connections between a host on a ISA firewall Protected Network and an Internet Web server work a bit differently. When a host on an ISA firewall Protected Network sends an SSL request through the ISA firewall’s Web Proxy component, the ISA firewall is able to inspect the HTTP header for the destination host and perform allow or deny actions based on the destination host name or IP address. However, after the SSL link is established between the host on the ISA firewall Protected Network and the Internet Web server, the ISA firewall is no longer able to inspect the contents of the communication because the contents are encrypted in an SSL tunnel between the client and Web server.
The SSL tunneling process between the Web client on an ISA firewall Protected Network and the destination Web server works as follows:
- A Web client on an ISA Firewall Protected Network makes a request for an SSL object from a Web server on the Internet by entering the following in the Address bar of the Web browser:
- When the user sends the request, the following is sent to port 8080 (the port on which the Web listener listens for outbound connections) on the ISA firewall:
CONNECT URL_name:443 HTTP/1.1
- The ISA firewall connects to the destination Web server on port 443.
- When the connection is established, ISA firewall returns to the Web client:
HTTP/1.0 200 connection established
From that point on, the client communicates directly with the external Web server and the communications are not mediated by the Web Proxy component of the ISA firewall. The ISA firewall also cannot perform stateful application layer inspection on the contents of the SSL tunneled commands and data.
This all works fine and automatically when the ISA firewall connects to SSL sites using the standard SSL port – TCP 443. However, there will be times when your Web Proxy clients need to connect to SSL Web sites using an alternate port.
For example, Web Proxy client users might try to access a banking Web site that requires an SSL connection on TCP port 4433 instead of the default port 443. This can also be problematic for SecureNAT and Firewall clients, since the default setting on the ISA firewall is to forward SecureNAT and Firewall client HTTP connections to the Web Proxy filter. Clients will see either a blank page or an error page indicating that the page cannot be displayed.
The problem here is that the Web Proxy filter only forwards SSL connections to TCP port 443. If clients try to connect to an SSL site over a port other than TCP 443, the connection attempt will fail. You can solve this problem by extending the SSL tunnel port range. However, to do so, you will need to download Jim Harrison’s script and enter the tunnel port range(s) you want the ISA firewall’s Web Proxy component to use.
Perform the following steps to extend the ISA firewall’s SSL tunnel port range:
- Go to www.isatools.org and download the isa_tpr.js file (http://www.isatools.org/isa_tpr.js) and copy that file to your ISA firewall. Do not use the browser on the firewall. Download the file to a management workstation, scan the file, and then copy the file to removable media and then take it to the ISA firewall. Remember, never use client applications, such as browsers, e-mail clients, etc. on the firewall itself.
- Double click the isa_tpr.js file. The first dialog box you see states This is your current Tunnel Port Range list. Click OK.
- The NNTP port is displayed. Click OK.
- The SSL port is displayed. Click OK.
- Now copy the isa_tpr.js file to the root of the C: drive. Open a command prompt and enter the following:
- You will see the following dialog box.
- To add a new tunnel port, such as 8848 enter the following command and press ENTER:
Cscript isa_tpr.js /add Ext8848 8848
- You will see something like what appears in the figure below after the command runs successfully.
Alternatively, you can download the .NET application, ISATpre.zip file at http://www.isatools.org/ISAtrpe.zip (written by Steven Soekrasno) from the www.isatools.org site and install the application on the ISA firewall. This application provides an easy to use graphical interface that allows you to extend the SSL tunnel port range. The figure below shows what the GUI for this application looks like.
Just enter the first port and last port you want to include in the SSL tunnel port range in the LowPort and HighPort text boxes and click the Add Tunnel Range button. Then click the Refresh button to see the new SSL tunnel port range in the list.
Note that if you have unbound the Web Proxy filter from the HTTP protocol, then Firewall and SecureNAT client connections made through the ISA firewall will not be redirected to the Web Proxy Filter. In this case, you can create a Protocol Definition for the alternate SSL port and then create an Access Rule allowing outbound access to that protocol.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=34;t=000081 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.