- Beware: White spaces...
-
In my previous post, I talked about an interesting "page cannot be displayed" issue when accessing HTTPS sites. Now, here is another story about HTTPS access failures.
This time, it was not a "page cannot be displayed" error message. In fact, there was no error message at all. Some of the clients were complaining that they could not browse a specific HTTPS web site. Instead, they were matching the last rule in the ISA Server as we saw in the ISA logs.
In ISA Server, there was an access rule that contained the clients. The allowed web sites were listed in a URL Set and this URL Set was containing some HTTP and HTTPS sites. The URLs was marked with an asterix mark (*) for sub-domains and the clients were able to access all HTTP and HTTPS sites except one. When I tried in my browser, I was able to browse the HTTPS site in subject, so the web site was live. The URL Set was something like below:
*.mysite.com
*.microsoft.com
*.onlinebank.com
*.mycompany.com
Interesting part was, clients were able to access http://www.onlinebank.com or http://subdomain.onlinebank.com, but, they were not able to access https://www.onlinebank.com or https://subdomain.onlinebank.com. There were no other rules blocking to access this site.
Then I have asked my customer to export the URL Set. When I opened the exported XML file in notepad, it was something like below:
<fpc4:DomainNameStrings>
<fpc4:Str dt:dt="string">*.mysite.com</fpc4:Str>
<fpc4:Str dt:dt="string">*.microsoft.com</fpc4:Str>
<fpc4:Str dt:dt="string">*.onlinebank.com </fpc4:Str>
<fpc4:Str dt:dt="string">*.mycompany.com</fpc4:Str>
</fpc4:DomainNameStrings>
Then I have noticed that there was a white-space after "*.onlinebank.com". Removing this white-space solved the customer's issue.
Long story short, ISA Server does not trim strings in URL Sets.
Cheers ;)
AMB
- ISA Server 2006: An interesting “The page cannot be displayed” error message for HTTPS sites...But why?
-
A few days ago, I have received a call from one of my customers and he was complaining about accessing HTTPS sites behind ISA Server 2006. Basically, the clients were seeing “The page cannot be displayed” error message in the Internet Explorer.
Always it is good to start with live logging, so, I have asked for ISA logs. In the logs, we were seeing the following entry:
|
HTTP Status Code |
Log Record Type |
Port |
Action |
|
13 The data is invalid. |
Web Proxy Filter |
443 |
Failed Connection Attempt |
The clients who had this issue were not using firewall client and those were secure nat clients. Strange thing was we were seeing Web Proxy Filter for HTTPS traffic in the ISA logs.
There might be some problems with the ISA Server configuration and this might be the root cause of the issue but the ISA BPA logs shown that the configuration and the access rules were fine. ISA Server was the only firewall or web proxy application on the network so there was no other suspicious application other than ISA for this issue.
When these kind of strange issues happen, a network trace would show the problem and we have collected one. When we analyzed the network monitor trace, we found that the ISA server side responded a HTTP 400 Bad Request to the client. There was no HTTPS traffic on the external network from internal network. So, the traffic was cut on the ISA Server.
Since the protocol was HTTPS, we have checked the properties of the HTTPS protocol on the ISA Server. To do so, we went to Firewall Policy, and then on the right pane, clicked Toolbox, expanded Protocols section and right clicked the HTTPS protocol. In the Parameters tab, we saw that the Web Proxy Filter was checked. When this is disabled, it disables all caching and other proxying services for the client request.
Since the HTTPS traffic is not cached, it is not necessary to use this filter. This is also not selected by default for HTTPS protocol. Somehow, customer set this filter for HTTPS traffic.
Then we have unchecked the Web Proxy Filter for HTTPS protocol and this solved the issue.
A few weeks ago, a new KB article was published about this issue. Basically, this information can be very useful when you see an unexpected “The page cannot be displayed” error messages while accessing HTTPS sites. So, if you are working with ISA Server, please bookmark the following KB article:
Cannot access HTTPS web site if Web Proxy Filter is bound to HTTPS protocol
http://support.microsoft.com/kb/944006
For Web Proxy Filter details, please see the following TechNet article:
Web Proxy Filter
http://www.microsoft.com/technet/isa/2004/help/FW_WebProxyFilter.mspx?mfr=true
Cheers ;)
AMB
