Re: Trying to understand this behavior, Ports in IIS
From: Marlon Brown (nospamarlon_at_hotmail.com)
Date: Sun, 26 Jun 2005 17:13:56 -0700
Sure. Here we go:
First of all, I followed the steps to publish "Sharepoint 2003 - ISA 2004".
I don't have a link to this document since it was a hand-out given at MS,
but basically the document tells me to go the respective IIS website and
assign port 8080 (instead of 80).
Then on ISA 2004, I created a publishing rule that it states SSL=443 (note
that 80 or 8080 was not selected). In the web listener yes, the instructions
told me to do listen on port = 8080 and SSL port=443.
In the border router and in the PIX firewall (both devices are "in front of"
the ISA 2004) I made sure the access-lists were opened accordingly for both
80 and 443.
I attempted to access such https://mysite.mycompany.com from a host on the
same network where the site was - it worked great. I did a portqry.exe -n
mysite.mycompany.com -e 443 and it was successful. That tells me the ISA
server was accepting the connections.
I tried to access https://mysite.mycompany.com from the Internet and it
resolved OK to the respective IP address, but it always failed (DNS error,
page cannot be displayed).
Then I did a portqry.exe -n mysite.comapany.com -e 443 and it returned
'filtered'. Definitely this was "blocked" somewhere.
Then I decided to change the access-list in the Cisco border router and in
the PIX firewall from "allow 80" to "allow 8080".
The whole thing worked instantly and I was then able to connect to
https://mysite.mycompany.com from the Internet.
Out of curiosity:
I go to the PIX firewall and border router and there is no hitcount for the
I took traces of client and server connections and I only see traffic on
I went back to the IIS site and changed it from port 8080 to port 8081; I
changed the ISA web listener to port 8081. That did not break it, I still
can access the site from the Internet.
Perhaps this was anomaly that got cleared after I changed the access-list in
the router or PIX firewall, because the way I see it is that this 8080 port
is doing nothing.
"David Wang [Msft]" <email@example.com> wrote in message
> Well, the issue could be with your:
> 1. Checkpoint firewall
> 2. network devices between the firewall and ISA Server
> 3. ISA Server
> 4. network devices between ISA Server and IIS
> 5. IIS server
> Can you please describe the steps you took to determine that issues #1
> through #4 were not happening, thus it must be #5 that is causing the
> strange behavior?
> Given your current information, the issue seems to be with the Checkpoint
> This posting is provided "AS IS" with no warranties, and confers no
> "Marlon Brown" <firstname.lastname@example.org> wrote in message
> Correct. It should work over 443, but then the connection from client to
> server was successful only upon opening port 8080 in the firewall. This is
> the part I can't understand.
> "David Wang [Msft]" <email@example.com> wrote in message
>> I'm not certain what your question is about. Can you clarify?
>> Your requests are over https:// , which default to port 443. This means
>> for those requests, you should NOT see traffic over HTTP/8080 -- which is
>> exactly what you are seeing. So, I'm confused at what behavior you are
>> trying to understand because it all looks by-design to me right now.
>> This posting is provided "AS IS" with no warranties, and confers no
>> "Marlon" <firstname.lastname@example.org> wrote in message
>> Win2003, IIS6.
>> Under "Internet Information Services/Web Sites" snap-in, I've created a
>> "Mysite" site.
>> If I click "Properties", "Web Site" tab, I see the following information:
>> TCP Port=8080 SSL=443
>> I published this site via ISA 2004. In ISA I setup a web listener to
>> on port 8080" and "SSL=443".
>> Then when I browse
>> I take traces and I see no indication of port 8080 being in use. Netmon
>> doesn't show that packets use port 8080 at all neither on the client or
>> server during the request to https://mysite.mycompany.com (all the
>> communications are happening over SSL).
>> The strange part is this:
>> Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site
>> unreachable from the "Internet".
>> Perhaps even more strange, after opening the port in the edge firewall
>> make the whole thing work, I go back to the edge firewall and I see *no*
>> hits in the access-list related to port 8080.
>> What would this port 8080 be used for this in this situation ? I am