+ Post New Thread
Results 1 to 7 of 7
Windows Thread, ISA server blocking https in Technical; The last few days i have been getting error messages on my 2004 isa box where its not letting me ...
  1. #1
    DSapseid's Avatar
    Join Date
    Feb 2007
    Location
    West Sussex
    Posts
    1,148
    Thank Post
    129
    Thanked 54 Times in 47 Posts
    Rep Power
    37

    ISA server blocking https

    The last few days i have been getting error messages on my 2004 isa box where its not letting me access any https pages.

    The strange thing is that i had this yesterday, rebooted the server and it was fine for about 2 hours.

    I have tried rebooting the server, restarting services. I dont know why its suddenly started to do this as i havent made any changes to it in about a 6 months. Screenshot attached of the error.

    Any ideas?
    Attached Images Attached Images

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,686
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    Can you access the SSL sites from the ISA box directly as it may be being refused by your upstream network.

    ISA 2004 "502 Proxy Error. Connection refused(10061) : error, connection, isa, proxy
    The 10061 error suggests that your upstream device is not operating (for ssl) so the traffic is going out 'as is'. ie it is going out as proxied traffic from the ISA rather than https traffic.

  3. #3
    DSapseid's Avatar
    Join Date
    Feb 2007
    Location
    West Sussex
    Posts
    1,148
    Thank Post
    129
    Thanked 54 Times in 47 Posts
    Rep Power
    37
    Yeh i can access the ssl sites fine from the isa box or i use my machine on its second nic that is configured straight into countys network rather than the internal one here.

    I have looked in the event log of both the server and the isa logs and they are both reporting that the upstream server is not available.

    I cant ping the county proxy from my machine i just get time outs. But if i use my other connection it gets perfect ping results.

    Im guessing that i should be able to ping the county proxy server from behind the isa server? it does find the correct ip address for it.

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,686
    Thank Post
    824
    Thanked 2,570 Times in 2,187 Posts
    Blog Entries
    9
    Rep Power
    731
    Quote Originally Posted by DSapseid View Post
    Yeh i can access the ssl sites fine from the isa box or i use my machine on its second nic that is configured straight into countys network rather than the internal one here.

    I have looked in the event log of both the server and the isa logs and they are both reporting that the upstream server is not available.

    I cant ping the county proxy from my machine i just get time outs. But if i use my other connection it gets perfect ping results.

    Im guessing that i should be able to ping the county proxy server from behind the isa server? it does find the correct ip address for it.
    I think that ages ago there was some kind of problem with SSL proxying from squid and ISA thanks to an update but I can't remember the details.

    If the logs are reporting that it is not avalible that is the first place that I would look, reset all of the upstream proxy details to make sure that they are correct and make sure that you have all of the ISA 2004 updates installed. I would also try installing ISA on a secondary box and seeing if that worked ok as the ISA configuration could have become corrupted.

    Do you use any extra third party filters like Surfcontrol () as these are really talented at completely hosing an ISA installation at random times.

    You would only be able to ping the proxy throught the ISA server if you have enabled ICMP traffic through it.

  5. #5
    DSapseid's Avatar
    Join Date
    Feb 2007
    Location
    West Sussex
    Posts
    1,148
    Thank Post
    129
    Thanked 54 Times in 47 Posts
    Rep Power
    37
    Right i think i may have sussed what it was. It was symantec endpoint protection! It was seeing county's proxy server asking for information (which it does now because of data transfer or something) but it saw it as a malicious attack and blocked it the ip address for 10mins this then stopped the isa from accessing the ip for the proxy and killed the https. Have just turned of certain parts of the symantec and all looks ok so far *touch wood*.

    Will keep checking it for the next few hours but looks like it.

  6. #6

    Join Date
    Mar 2008
    Location
    Midlands
    Posts
    119
    Thank Post
    0
    Thanked 21 Times in 20 Posts
    Rep Power
    16
    I experienced this after an ISA 2004 service pack, I think it was SP2 never could figure out the problem just removed the SP

  7. #7

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,572
    Thank Post
    869
    Thanked 1,293 Times in 786 Posts
    Blog Entries
    1
    Rep Power
    436
    Quote Originally Posted by DSapseid View Post
    Right i think i may have sussed what it was. It was symantec endpoint protection! It was seeing county's proxy server asking for information (which it does now because of data transfer or something) but it saw it as a malicious attack and blocked it the ip address for 10mins this then stopped the isa from accessing the ip for the proxy and killed the https. Have just turned of certain parts of the symantec and all looks ok so far *touch wood*.

    Will keep checking it for the next few hours but looks like it.
    Please tell me your not running the firewall parts of that on the ISA box. That could have huge issues. You only need AV on ISA (and to run the hardening tool for ISA )

SHARE:
+ Post New Thread

Similar Threads

  1. ISA 2006 + blocking internet for AD group
    By Paid_Peanuts in forum Windows
    Replies: 8
    Last Post: 7th December 2007, 06:46 PM
  2. ISA 2004 Blocking Groups
    By drewinc in forum Windows
    Replies: 4
    Last Post: 11th June 2007, 12:37 PM
  3. ISA Server Email Server Publishing
    By Norphy in forum Windows
    Replies: 12
    Last Post: 26th May 2006, 01:14 PM
  4. ISA 2004 Filetype blocking
    By indiegirl in forum Windows
    Replies: 2
    Last Post: 21st March 2006, 03:54 PM
  5. Blocking Batch Files using Group Policy in Server 2003
    By markwilliamson2001 in forum Windows
    Replies: 13
    Last Post: 4th October 2005, 05:28 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •