Re: Trying to understand this behavior, Ports in IIS
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 06/27/05
- Previous message: David Wang [Msft]: "Re: IIS/Windows Permissions/Rights"
- In reply to: Marlon Brown: "Re: Trying to understand this behavior, Ports in IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Jun 2005 01:31:25 -0700
>I attempted to access such https://mysite.mycompany.com from
> a host on the same network where the site was - it worked great.
> I did a portqry.exe -n mysite.mycompany.com -e 443 and it was
> successful. That tells me the ISA server was accepting the connections.
> I went back to the IIS site and changed it from port 8080 to port
> 8081; I changed the ISA web listener to port 8081. That did not
> break it, I still can access the site from the Internet.
If I understood your configuration correctly, you have just stated that the
strange behavior has nothing to do with IIS-related behavior.
>Then I decided to change the access-list in the Cisco border
> router and in the PIX firewall from "allow 80" to "allow 8080".
> The whole thing worked instantly and I was then able to connect
> to https://mysite.mycompany.com from the Internet.
It seems that the strange behavior is in this layer somewhere. I do not see
IIS involved in here, so the best thing I can suggest is for you to obtain
support for your questions from those respective vendors.
-- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Marlon Brown" <nospamarlon@hotmail.com> wrote in message news:urhaQ0qeFHA.256@TK2MSFTNGP14.phx.gbl... Sure. Here we go: First of all, I followed the steps to publish "Sharepoint 2003 - ISA 2004". I don't have a link to this document since it was a hand-out given at MS, but basically the document tells me to go the respective IIS website and assign port 8080 (instead of 80). Then on ISA 2004, I created a publishing rule that it states SSL=443 (note that 80 or 8080 was not selected). In the web listener yes, the instructions told me to do listen on port = 8080 and SSL port=443. In the border router and in the PIX firewall (both devices are "in front of" the ISA 2004) I made sure the access-lists were opened accordingly for both 80 and 443. I attempted to access such https://mysite.mycompany.com from a host on the same network where the site was - it worked great. I did a portqry.exe -n mysite.mycompany.com -e 443 and it was successful. That tells me the ISA server was accepting the connections. I tried to access https://mysite.mycompany.com from the Internet and it resolved OK to the respective IP address, but it always failed (DNS error, page cannot be displayed). Then I did a portqry.exe -n mysite.comapany.com -e 443 and it returned 'filtered'. Definitely this was "blocked" somewhere. Then I decided to change the access-list in the Cisco border router and in the PIX firewall from "allow 80" to "allow 8080". The whole thing worked instantly and I was then able to connect to https://mysite.mycompany.com from the Internet. Out of curiosity: I go to the PIX firewall and border router and there is no hitcount for the 8080 access-list. I took traces of client and server connections and I only see traffic on port 443. I went back to the IIS site and changed it from port 8080 to port 8081; I changed the ISA web listener to port 8081. That did not break it, I still can access the site from the Internet. Perhaps this was anomaly that got cleared after I changed the access-list in the router or PIX firewall, because the way I see it is that this 8080 port is doing nothing. "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:eCWtWkjeFHA.2128@TK2MSFTNGP14.phx.gbl... > Well, the issue could be with your: > 1. Checkpoint firewall > 2. network devices between the firewall and ISA Server > 3. ISA Server > 4. network devices between ISA Server and IIS > 5. IIS server > > Can you please describe the steps you took to determine that issues #1 > through #4 were not happening, thus it must be #5 that is causing the > strange behavior? > > Given your current information, the issue seems to be with the Checkpoint > firewall. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Marlon Brown" <nospamarlon@hotmail.com> wrote in message > news:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl... > Correct. It should work over 443, but then the connection from client to > server was successful only upon opening port 8080 in the firewall. This is > the part I can't understand. > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl... >> I'm not certain what your question is about. Can you clarify? >> >> >> Your requests are over https:// , which default to port 443. This means >> that >> for those requests, you should NOT see traffic over HTTP/8080 -- which is >> exactly what you are seeing. So, I'm confused at what behavior you are >> trying to understand because it all looks by-design to me right now. >> >> -- >> //David >> IIS >> http://blogs.msdn.com/David.Wang >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> // >> "Marlon" <marlon-nospam@hotmail.com> wrote in message >> news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... >> Win2003, IIS6. >> Under "Internet Information Services/Web Sites" snap-in, I've created a >> >> "Mysite" site. >> >> If I click "Properties", "Web Site" tab, I see the following information: >> TCP Port=8080 SSL=443 >> >> I published this site via ISA 2004. In ISA I setup a web listener to >> "listen >> on port 8080" and "SSL=443". >> >> Then when I browse >> https://mysite.mycompany.com >> >> I take traces and I see no indication of port 8080 being in use. Netmon >> doesn't show that packets use port 8080 at all neither on the client or >> the >> server during the request to https://mysite.mycompany.com (all the >> communications are happening over SSL). >> >> The strange part is this: >> Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site >> was >> unreachable from the "Internet". >> Perhaps even more strange, after opening the port in the edge firewall >> and >> make the whole thing work, I go back to the edge firewall and I see *no* >> hits in the access-list related to port 8080. >> >> What would this port 8080 be used for this in this situation ? I am >> curious. >> >> >> > > > >
- Previous message: David Wang [Msft]: "Re: IIS/Windows Permissions/Rights"
- In reply to: Marlon Brown: "Re: Trying to understand this behavior, Ports in IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
