Thought I posted this yesterday but can't find it now so I'd guess I forgot to press submit - apologies if I've just managed to lose it :-)
We have a couple of websites (eg http://elp.slc.co.uk/) which need a certificate in order for the user to logon.
The site prompts for the certificate but then fails to load the next step (which is an https site) - it just gives the normal "server not found" type error (check DNS, check network connection etc).
On the ISA 2004 server, the info below is logged. Has anyone else seen anything like this before and fixed it? This used to work so obviously something has been changed on our ISA server but there's nothing obviously wrong (and access to web sites like banks which don't use certificates are working fine)
Failed Connection Attempt TCONWL16 09/04/2008 10:58:04
Log type: Web Proxy (Forward)
Status: 995 The I/O operation has been aborted because of either a thread exit or an application request.
Rule: Web Access Only
Source: Internal ( 10.0.1.31:0)
Destination: External ( 126.96.36.199:443)
Filter information: Req ID: 08ad9b13
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Object source: Internet Processing time: 0
Cache info: 0x0 MIME type:
Was interested in this coz I once did lots of stuff with client certs and it rang some kind of bell. Then Google threw up this re. ISA:
Unfortunately, all SSL tunnels will be logged as "failed" connections;
typically with one of two result-codes:
64 (The specified network name is no longer available)
995 (The I/O operation has been aborted because of either a thread exit
or an application request.)
This is because ISA only knows two things about an SSL tunnel:
1. the connections are (not) closed
2. bits are (not) not flowing through the tunnel
I suppose there's the obvious stuff e.g. is the client cert valid (e.g. in date)? Is it possible to test it directly without traversing the ISA server?
You cannot intercept and proxy the SSL connections unless you use a trusted certificate (eg, one you create and push out to your domain pcs) to create a new SSL connection between the client machine and your ISA server.
The correct thing to do is to just let the connection through unmodified and put up with the warnings as Piqueaboo says.
Sorry; probably being completely stupid here but what do you mean by "let the connection through unmodified"?
As far as I know, we're not asking the ISA server to do anything to the data but obviously something must be happening otherwise the users would be able to get to the web sites they used to be able to get to!
If you have a working rule, can you save the XML of it and post it?