We get a fair number of people asking about problems with connecting to SSL sites. In most cases, these problems are related to:
- The SSL site was configured to listen on a non-standard port
- Connections limits are exceeded, because each element is a separate session when using SSL
- Access rules are configured to allow paths to a specific SSL site, but not to the root. The ISA Firewall can’t see the paths in an outbound SSL tunnel, so if you don’t allow access to the entire site, then all connections to the SSL site are denied
However, there might be another problem if you haven’t updated your ISA Firewall. These days, there’s no reason to not keep your ISA Firewall updated, as ISA Firewall updates are part of the Microsoft Update option. This is a great security advantage over “hardware” firewalls or Blue Coat proxies, where you have to remember to update the Firewall or proxy and hope you don’t get nailed by the time the update for the non-ISA Firewall device is updated.
If you haven’t updated your ISA Firewall, you might have problems with SSL sites if:
- The ISA Firewall software isn’t completely up to date
- The client is configured as a Web proxy client
- The ISA Firewall’s Web listener is configured to use integrated authentication
- The Web proxy client hasn’t been configured to use HTTP 1.1 (you should always configure your Web proxy clients to use HTTP 1.1)
Updating the ISA Firewall will stop the problem. For more information check out the KB article at http://support.microsoft.com/kb/923766/en-us
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: [email protected]
MVP — Microsoft Firewalls (ISA)