Re: Trying to understand this behavior, Ports in IIS
From: Marlon Brown (nospamarlon_at_hotmail.com)
Date: 06/27/05
- Next message: David Wang [Msft]: "Re: SSL Site showing Page not found"
- Previous message: David Wang [Msft]: "Re: Resetting IUSR user token"
- In reply to: David Wang [Msft]: "Re: Trying to understand this behavior, Ports in IIS"
- Next in thread: David Wang [Msft]: "Re: Trying to understand this behavior, Ports in IIS"
- Reply: David Wang [Msft]: "Re: Trying to understand this behavior, Ports in IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 26 Jun 2005 17:13:56 -0700
Sure. Here we go:
First of all, I followed the steps to publish "Sharepoint 2003 - ISA 2004".
I don't have a link to this document since it was a hand-out given at MS,
but basically the document tells me to go the respective IIS website and
assign port 8080 (instead of 80).
Then on ISA 2004, I created a publishing rule that it states SSL=443 (note
that 80 or 8080 was not selected). In the web listener yes, the instructions
told me to do listen on port = 8080 and SSL port=443.
In the border router and in the PIX firewall (both devices are "in front of"
the ISA 2004) I made sure the access-lists were opened accordingly for both
80 and 443.
I attempted to access such https://mysite.mycompany.com from a host on the
same network where the site was - it worked great. I did a portqry.exe -n
mysite.mycompany.com -e 443 and it was successful. That tells me the ISA
server was accepting the connections.
I tried to access https://mysite.mycompany.com from the Internet and it
resolved OK to the respective IP address, but it always failed (DNS error,
page cannot be displayed).
Then I did a portqry.exe -n mysite.comapany.com -e 443 and it returned
'filtered'. Definitely this was "blocked" somewhere.
Then I decided to change the access-list in the Cisco border router and in
the PIX firewall from "allow 80" to "allow 8080".
The whole thing worked instantly and I was then able to connect to
https://mysite.mycompany.com from the Internet.
Out of curiosity:
I go to the PIX firewall and border router and there is no hitcount for the
8080 access-list.
I took traces of client and server connections and I only see traffic on
port 443.
I went back to the IIS site and changed it from port 8080 to port 8081; I
changed the ISA web listener to port 8081. That did not break it, I still
can access the site from the Internet.
Perhaps this was anomaly that got cleared after I changed the access-list in
the router or PIX firewall, because the way I see it is that this 8080 port
is doing nothing.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:eCWtWkjeFHA.2128@TK2MSFTNGP14.phx.gbl...
> Well, the issue could be with your:
> 1. Checkpoint firewall
> 2. network devices between the firewall and ISA Server
> 3. ISA Server
> 4. network devices between ISA Server and IIS
> 5. IIS server
>
> Can you please describe the steps you took to determine that issues #1
> through #4 were not happening, thus it must be #5 that is causing the
> strange behavior?
>
> Given your current information, the issue seems to be with the Checkpoint
> firewall.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Marlon Brown" <nospamarlon@hotmail.com> wrote in message
> news:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl...
> Correct. It should work over 443, but then the connection from client to
> server was successful only upon opening port 8080 in the firewall. This is
> the part I can't understand.
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl...
>> I'm not certain what your question is about. Can you clarify?
>>
>>
>> Your requests are over https:// , which default to port 443. This means
>> that
>> for those requests, you should NOT see traffic over HTTP/8080 -- which is
>> exactly what you are seeing. So, I'm confused at what behavior you are
>> trying to understand because it all looks by-design to me right now.
>>
>> --
>> //David
>> IIS
>> http://blogs.msdn.com/David.Wang
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> //
>> "Marlon" <marlon-nospam@hotmail.com> wrote in message
>> news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl...
>> Win2003, IIS6.
>> Under "Internet Information Services/Web Sites" snap-in, I've created a
>>
>> "Mysite" site.
>>
>> If I click "Properties", "Web Site" tab, I see the following information:
>> TCP Port=8080 SSL=443
>>
>> I published this site via ISA 2004. In ISA I setup a web listener to
>> "listen
>> on port 8080" and "SSL=443".
>>
>> Then when I browse
>> https://mysite.mycompany.com
>>
>> I take traces and I see no indication of port 8080 being in use. Netmon
>> doesn't show that packets use port 8080 at all neither on the client or
>> the
>> server during the request to https://mysite.mycompany.com (all the
>> communications are happening over SSL).
>>
>> The strange part is this:
>> Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site
>> was
>> unreachable from the "Internet".
>> Perhaps even more strange, after opening the port in the edge firewall
>> and
>> make the whole thing work, I go back to the edge firewall and I see *no*
>> hits in the access-list related to port 8080.
>>
>> What would this port 8080 be used for this in this situation ? I am
>> curious.
>>
>>
>>
>
>
>
>
- Next message: David Wang [Msft]: "Re: SSL Site showing Page not found"
- Previous message: David Wang [Msft]: "Re: Resetting IUSR user token"
- In reply to: David Wang [Msft]: "Re: Trying to understand this behavior, Ports in IIS"
- Next in thread: David Wang [Msft]: "Re: Trying to understand this behavior, Ports in IIS"
- Reply: David Wang [Msft]: "Re: Trying to understand this behavior, Ports in IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
