|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Trying to understand this behavior, Ports in IISUnder "Internet Information Services/Web Sites" snap-in, I've created a "Mysite" site. If I click "Properties", "Web Site" tab, I see the following information: TCP Port=8080 SSL=443 I published this site via ISA 2004. In ISA I setup a web listener to "listen on port 8080" and "SSL=443". Then when I browse https://mysite.mycompany.com I take traces and I see no indication of port 8080 being in use. Netmon doesn't show that packets use port 8080 at all neither on the client or the server during the request to https://mysite.mycompany.com (all the communications are happening over SSL). The strange part is this: Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site was unreachable from the "Internet". Perhaps even more strange, after opening the port in the edge firewall and make the whole thing work, I go back to the edge firewall and I see *no* hits in the access-list related to port 8080. What would this port 8080 be used for this in this situation ? I am curious. I'm not certain what your question is about. Can you clarify?
Your requests are over https:// , which default to port 443. This means that for those requests, you should NOT see traffic over HTTP/8080 -- which is exactly what you are seeing. So, I'm confused at what behavior you are trying to understand because it all looks by-design to me right now. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Marlon" <marlon-nospam@hotmail.com> wrote in message Under "Internet Information Services/Web Sites" snap-in, I've created anews:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... Win2003, IIS6. "Mysite" site. If I click "Properties", "Web Site" tab, I see the following information: TCP Port=8080 SSL=443 I published this site via ISA 2004. In ISA I setup a web listener to "listen on port 8080" and "SSL=443". Then when I browse https://mysite.mycompany.com I take traces and I see no indication of port 8080 being in use. Netmon doesn't show that packets use port 8080 at all neither on the client or the server during the request to https://mysite.mycompany.com (all the communications are happening over SSL). The strange part is this: Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site was unreachable from the "Internet". Perhaps even more strange, after opening the port in the edge firewall and make the whole thing work, I go back to the edge firewall and I see *no* hits in the access-list related to port 8080. What would this port 8080 be used for this in this situation ? I am curious. Correct. It should work over 443, but then the connection from client to
server was successful only upon opening port 8080 in the firewall. This is the part I can't understand. Show quoteHide quote "David Wang [Msft]" <some***@online.microsoft.com> wrote in message news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl... > I'm not certain what your question is about. Can you clarify? > > > Your requests are over https:// , which default to port 443. This means > that > for those requests, you should NOT see traffic over HTTP/8080 -- which is > exactly what you are seeing. So, I'm confused at what behavior you are > trying to understand because it all looks by-design to me right now. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Marlon" <marlon-nospam@hotmail.com> wrote in message > news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... > Win2003, IIS6. > Under "Internet Information Services/Web Sites" snap-in, I've created a > > "Mysite" site. > > If I click "Properties", "Web Site" tab, I see the following information: > TCP Port=8080 SSL=443 > > I published this site via ISA 2004. In ISA I setup a web listener to > "listen > on port 8080" and "SSL=443". > > Then when I browse > https://mysite.mycompany.com > > I take traces and I see no indication of port 8080 being in use. Netmon > doesn't show that packets use port 8080 at all neither on the client or > the > server during the request to https://mysite.mycompany.com (all the > communications are happening over SSL). > > The strange part is this: > Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site > was > unreachable from the "Internet". > Perhaps even more strange, after opening the port in the edge firewall and > make the whole thing work, I go back to the edge firewall and I see *no* > hits in the access-list related to port 8080. > > What would this port 8080 be used for this in this situation ? I am > curious. > > > Well, the issue could be with your:
1. Checkpoint firewall 2. network devices between the firewall and ISA Server 3. ISA Server 4. network devices between ISA Server and IIS 5. IIS server Can you please describe the steps you took to determine that issues #1 through #4 were not happening, thus it must be #5 that is causing the strange behavior? Given your current information, the issue seems to be with the Checkpoint firewall. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Marlon Brown" <nospamarlon@hotmail.com> wrote in message Correct. It should work over 443, but then the connection from client tonews:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl... server was successful only upon opening port 8080 in the firewall. This is the part I can't understand. Show quoteHide quote "David Wang [Msft]" <some***@online.microsoft.com> wrote in message news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl... > I'm not certain what your question is about. Can you clarify? > > > Your requests are over https:// , which default to port 443. This means > that > for those requests, you should NOT see traffic over HTTP/8080 -- which is > exactly what you are seeing. So, I'm confused at what behavior you are > trying to understand because it all looks by-design to me right now. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Marlon" <marlon-nospam@hotmail.com> wrote in message > news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... > Win2003, IIS6. > Under "Internet Information Services/Web Sites" snap-in, I've created a > > "Mysite" site. > > If I click "Properties", "Web Site" tab, I see the following information: > TCP Port=8080 SSL=443 > > I published this site via ISA 2004. In ISA I setup a web listener to > "listen > on port 8080" and "SSL=443". > > Then when I browse > https://mysite.mycompany.com > > I take traces and I see no indication of port 8080 being in use. Netmon > doesn't show that packets use port 8080 at all neither on the client or > the > server during the request to https://mysite.mycompany.com (all the > communications are happening over SSL). > > The strange part is this: > Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site > was > unreachable from the "Internet". > Perhaps even more strange, after opening the port in the edge firewall and > make the whole thing work, I go back to the edge firewall and I see *no* > hits in the access-list related to port 8080. > > What would this port 8080 be used for this in this situation ? I am > curious. > > > Sure. Here we go:
First of all, I followed the steps to publish "Sharepoint 2003 - ISA 2004". I don't have a link to this document since it was a hand-out given at MS, but basically the document tells me to go the respective IIS website and assign port 8080 (instead of 80). Then on ISA 2004, I created a publishing rule that it states SSL=443 (note that 80 or 8080 was not selected). In the web listener yes, the instructions told me to do listen on port = 8080 and SSL port=443. In the border router and in the PIX firewall (both devices are "in front of" the ISA 2004) I made sure the access-lists were opened accordingly for both 80 and 443. I attempted to access such https://mysite.mycompany.com from a host on the same network where the site was - it worked great. I did a portqry.exe -n mysite.mycompany.com -e 443 and it was successful. That tells me the ISA server was accepting the connections. I tried to access https://mysite.mycompany.com from the Internet and it resolved OK to the respective IP address, but it always failed (DNS error, page cannot be displayed). Then I did a portqry.exe -n mysite.comapany.com -e 443 and it returned 'filtered'. Definitely this was "blocked" somewhere. Then I decided to change the access-list in the Cisco border router and in the PIX firewall from "allow 80" to "allow 8080". The whole thing worked instantly and I was then able to connect to https://mysite.mycompany.com from the Internet. Out of curiosity: I go to the PIX firewall and border router and there is no hitcount for the 8080 access-list. I took traces of client and server connections and I only see traffic on port 443. I went back to the IIS site and changed it from port 8080 to port 8081; I changed the ISA web listener to port 8081. That did not break it, I still can access the site from the Internet. Perhaps this was anomaly that got cleared after I changed the access-list in the router or PIX firewall, because the way I see it is that this 8080 port is doing nothing. Show quoteHide quote "David Wang [Msft]" <some***@online.microsoft.com> wrote in message news:eCWtWkjeFHA.2128@TK2MSFTNGP14.phx.gbl... > Well, the issue could be with your: > 1. Checkpoint firewall > 2. network devices between the firewall and ISA Server > 3. ISA Server > 4. network devices between ISA Server and IIS > 5. IIS server > > Can you please describe the steps you took to determine that issues #1 > through #4 were not happening, thus it must be #5 that is causing the > strange behavior? > > Given your current information, the issue seems to be with the Checkpoint > firewall. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Marlon Brown" <nospamarlon@hotmail.com> wrote in message > news:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl... > Correct. It should work over 443, but then the connection from client to > server was successful only upon opening port 8080 in the firewall. This is > the part I can't understand. > "David Wang [Msft]" <some***@online.microsoft.com> wrote in message > news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl... >> I'm not certain what your question is about. Can you clarify? >> >> >> Your requests are over https:// , which default to port 443. This means >> that >> for those requests, you should NOT see traffic over HTTP/8080 -- which is >> exactly what you are seeing. So, I'm confused at what behavior you are >> trying to understand because it all looks by-design to me right now. >> >> -- >> //David >> IIS >> http://blogs.msdn.com/David.Wang >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> // >> "Marlon" <marlon-nospam@hotmail.com> wrote in message >> news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... >> Win2003, IIS6. >> Under "Internet Information Services/Web Sites" snap-in, I've created a >> >> "Mysite" site. >> >> If I click "Properties", "Web Site" tab, I see the following information: >> TCP Port=8080 SSL=443 >> >> I published this site via ISA 2004. In ISA I setup a web listener to >> "listen >> on port 8080" and "SSL=443". >> >> Then when I browse >> https://mysite.mycompany.com >> >> I take traces and I see no indication of port 8080 being in use. Netmon >> doesn't show that packets use port 8080 at all neither on the client or >> the >> server during the request to https://mysite.mycompany.com (all the >> communications are happening over SSL). >> >> The strange part is this: >> Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site >> was >> unreachable from the "Internet". >> Perhaps even more strange, after opening the port in the edge firewall >> and >> make the whole thing work, I go back to the edge firewall and I see *no* >> hits in the access-list related to port 8080. >> >> What would this port 8080 be used for this in this situation ? I am >> curious. >> >> >> > > > > >I attempted to access such https://mysite.mycompany.com from If I understood your configuration correctly, you have just stated that the> a host on the same network where the site was - it worked great. > I did a portqry.exe -n mysite.mycompany.com -e 443 and it was > successful. That tells me the ISA server was accepting the connections. > I went back to the IIS site and changed it from port 8080 to port > 8081; I changed the ISA web listener to port 8081. That did not > break it, I still can access the site from the Internet. strange behavior has nothing to do with IIS-related behavior. >Then I decided to change the access-list in the Cisco border It seems that the strange behavior is in this layer somewhere. I do not see> router and in the PIX firewall from "allow 80" to "allow 8080". > The whole thing worked instantly and I was then able to connect > to https://mysite.mycompany.com from the Internet. IIS involved in here, so the best thing I can suggest is for you to obtain support for your questions from those respective vendors. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Marlon Brown" <nospamarlon@hotmail.com> wrote in message Sure. Here we go:news:urhaQ0qeFHA.256@TK2MSFTNGP14.phx.gbl... First of all, I followed the steps to publish "Sharepoint 2003 - ISA 2004". I don't have a link to this document since it was a hand-out given at MS, but basically the document tells me to go the respective IIS website and assign port 8080 (instead of 80). Then on ISA 2004, I created a publishing rule that it states SSL=443 (note that 80 or 8080 was not selected). In the web listener yes, the instructions told me to do listen on port = 8080 and SSL port=443. In the border router and in the PIX firewall (both devices are "in front of" the ISA 2004) I made sure the access-lists were opened accordingly for both 80 and 443. I attempted to access such https://mysite.mycompany.com from a host on the same network where the site was - it worked great. I did a portqry.exe -n mysite.mycompany.com -e 443 and it was successful. That tells me the ISA server was accepting the connections. I tried to access https://mysite.mycompany.com from the Internet and it resolved OK to the respective IP address, but it always failed (DNS error, page cannot be displayed). Then I did a portqry.exe -n mysite.comapany.com -e 443 and it returned 'filtered'. Definitely this was "blocked" somewhere. Then I decided to change the access-list in the Cisco border router and in the PIX firewall from "allow 80" to "allow 8080". The whole thing worked instantly and I was then able to connect to https://mysite.mycompany.com from the Internet. Out of curiosity: I go to the PIX firewall and border router and there is no hitcount for the 8080 access-list. I took traces of client and server connections and I only see traffic on port 443. I went back to the IIS site and changed it from port 8080 to port 8081; I changed the ISA web listener to port 8081. That did not break it, I still can access the site from the Internet. Perhaps this was anomaly that got cleared after I changed the access-list in the router or PIX firewall, because the way I see it is that this 8080 port is doing nothing. Show quoteHide quote "David Wang [Msft]" <some***@online.microsoft.com> wrote in message news:eCWtWkjeFHA.2128@TK2MSFTNGP14.phx.gbl... > Well, the issue could be with your: > 1. Checkpoint firewall > 2. network devices between the firewall and ISA Server > 3. ISA Server > 4. network devices between ISA Server and IIS > 5. IIS server > > Can you please describe the steps you took to determine that issues #1 > through #4 were not happening, thus it must be #5 that is causing the > strange behavior? > > Given your current information, the issue seems to be with the Checkpoint > firewall. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Marlon Brown" <nospamarlon@hotmail.com> wrote in message > news:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl... > Correct. It should work over 443, but then the connection from client to > server was successful only upon opening port 8080 in the firewall. This is > the part I can't understand. > "David Wang [Msft]" <some***@online.microsoft.com> wrote in message > news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl... >> I'm not certain what your question is about. Can you clarify? >> >> >> Your requests are over https:// , which default to port 443. This means >> that >> for those requests, you should NOT see traffic over HTTP/8080 -- which is >> exactly what you are seeing. So, I'm confused at what behavior you are >> trying to understand because it all looks by-design to me right now. >> >> -- >> //David >> IIS >> http://blogs.msdn.com/David.Wang >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> // >> "Marlon" <marlon-nospam@hotmail.com> wrote in message >> news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... >> Win2003, IIS6. >> Under "Internet Information Services/Web Sites" snap-in, I've created a >> >> "Mysite" site. >> >> If I click "Properties", "Web Site" tab, I see the following information: >> TCP Port=8080 SSL=443 >> >> I published this site via ISA 2004. In ISA I setup a web listener to >> "listen >> on port 8080" and "SSL=443". >> >> Then when I browse >> https://mysite.mycompany.com >> >> I take traces and I see no indication of port 8080 being in use. Netmon >> doesn't show that packets use port 8080 at all neither on the client or >> the >> server during the request to https://mysite.mycompany.com (all the >> communications are happening over SSL). >> >> The strange part is this: >> Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site >> was >> unreachable from the "Internet". >> Perhaps even more strange, after opening the port in the edge firewall >> and >> make the whole thing work, I go back to the edge firewall and I see *no* >> hits in the access-list related to port 8080. >> >> What would this port 8080 be used for this in this situation ? I am >> curious. >> >> >> > > > > 
Other interesting topics
IIS/Windows Permissions/Rights
Ideas on deferring authentication? AUTHORIZATION with WINDOWS AUTHENTICATION -- HELP!! Resetting IUSR user token Is MBSchExt.xml a legitimate schema file ? SSL Site showing Page not found Removing IIS Passwords Classic ASP Page not running under IIS6.0 IIS and domain security Installing root certificate & chain |
|||||||||||||||||||||||
