|
|
You're in the
iis security
group:Trying to understand this behavior, Ports in IIS
iis security:
Under "Internet Information Services/Web Sites" snap-in, I've created a "Mysite" site. If I click "Properties", "Web Site" tab, I see the following information: TCP Port=8080 SSL=443 I published this site via ISA 2004. In ISA I setup a web listener to "listen on port 8080" and "SSL=443". Then when I browse https://mysite.mycompany.com I take traces and I see no indication of port 8080 being in use. Netmon doesn't show that packets use port 8080 at all neither on the client or the server during the request to https://mysite.mycompany.com (all the communications are happening over SSL). The strange part is this: Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site was unreachable from the "Internet". Perhaps even more strange, after opening the port in the edge firewall and make the whole thing work, I go back to the edge firewall and I see *no* hits in the access-list related to port 8080. What would this port 8080 be used for this in this situation ? I am curious.
I'm not certain what your question is about. Can you clarify?
Your requests are over https:// , which default to port 443. This means that for those requests, you should NOT see traffic over HTTP/8080 -- which is exactly what you are seeing. So, I'm confused at what behavior you are trying to understand because it all looks by-design to me right now. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Marlon" <marlon-nospam@hotmail.com> wrote in message Win2003, IIS6.news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... Under "Internet Information Services/Web Sites" snap-in, I've created a "Mysite" site. If I click "Properties", "Web Site" tab, I see the following information: TCP Port=8080 SSL=443 I published this site via ISA 2004. In ISA I setup a web listener to "listen on port 8080" and "SSL=443". Then when I browse https://mysite.mycompany.com I take traces and I see no indication of port 8080 being in use. Netmon doesn't show that packets use port 8080 at all neither on the client or the server during the request to https://mysite.mycompany.com (all the communications are happening over SSL). The strange part is this: Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site was unreachable from the "Internet". Perhaps even more strange, after opening the port in the edge firewall and make the whole thing work, I go back to the edge firewall and I see *no* hits in the access-list related to port 8080. What would this port 8080 be used for this in this situation ? I am curious.
Correct. It should work over 443, but then the connection from client to
server was successful only upon opening port 8080 in the firewall. This is the part I can't understand. [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl... > I'm not certain what your question is about. Can you clarify? > > > Your requests are over https:// , which default to port 443. This means > that > for those requests, you should NOT see traffic over HTTP/8080 -- which is > exactly what you are seeing. So, I'm confused at what behavior you are > trying to understand because it all looks by-design to me right now. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Marlon" <marlon-nospam@hotmail.com> wrote in message > news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... > Win2003, IIS6. > Under "Internet Information Services/Web Sites" snap-in, I've created a > > "Mysite" site. > > If I click "Properties", "Web Site" tab, I see the following information: > TCP Port=8080 SSL=443 > > I published this site via ISA 2004. In ISA I setup a web listener to > "listen > on port 8080" and "SSL=443". > > Then when I browse > https://mysite.mycompany.com > > I take traces and I see no indication of port 8080 being in use. Netmon > doesn't show that packets use port 8080 at all neither on the client or > the > server during the request to https://mysite.mycompany.com (all the > communications are happening over SSL). > > The strange part is this: > Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site > was > unreachable from the "Internet". > Perhaps even more strange, after opening the port in the edge firewall and > make the whole thing work, I go back to the edge firewall and I see *no* > hits in the access-list related to port 8080. > > What would this port 8080 be used for this in this situation ? I am > curious. > > >
Well, the issue could be with your:
1. Checkpoint firewall 2. network devices between the firewall and ISA Server 3. ISA Server 4. network devices between ISA Server and IIS 5. IIS server Can you please describe the steps you took to determine that issues #1 through #4 were not happening, thus it must be #5 that is causing the strange behavior? Given your current information, the issue seems to be with the Checkpoint firewall. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Marlon Brown" <nospamarlon@hotmail.com> wrote in message Correct. It should work over 443, but then the connection from client tonews:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl... server was successful only upon opening port 8080 in the firewall. This is the part I can't understand. [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl... > I'm not certain what your question is about. Can you clarify? > > > Your requests are over https:// , which default to port 443. This means > that > for those requests, you should NOT see traffic over HTTP/8080 -- which is > exactly what you are seeing. So, I'm confused at what behavior you are > trying to understand because it all looks by-design to me right now. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Marlon" <marlon-nospam@hotmail.com> wrote in message > news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... > Win2003, IIS6. > Under "Internet Information Services/Web Sites" snap-in, I've created a > > "Mysite" site. > > If I click "Properties", "Web Site" tab, I see the following information: > TCP Port=8080 SSL=443 > > I published this site via ISA 2004. In ISA I setup a web listener to > "listen > on port 8080" and "SSL=443". > > Then when I browse > https://mysite.mycompany.com > > I take traces and I see no indication of port 8080 being in use. Netmon > doesn't show that packets use port 8080 at all neither on the client or > the > server during the request to https://mysite.mycompany.com (all the > communications are happening over SSL). > > The strange part is this: > Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site > was > unreachable from the "Internet". > Perhaps even more strange, after opening the port in the edge firewall and > make the whole thing work, I go back to the edge firewall and I see *no* > hits in the access-list related to port 8080. > > What would this port 8080 be used for this in this situation ? I am > curious. > > >
Sure. Here we go:
First of all, I followed the steps to publish "Sharepoint 2003 - ISA 2004". I don't have a link to this document since it was a hand-out given at MS, but basically the document tells me to go the respective IIS website and assign port 8080 (instead of 80). Then on ISA 2004, I created a publishing rule that it states SSL=443 (note that 80 or 8080 was not selected). In the web listener yes, the instructions told me to do listen on port = 8080 and SSL port=443. In the border router and in the PIX firewall (both devices are "in front of" the ISA 2004) I made sure the access-lists were opened accordingly for both 80 and 443. I attempted to access such https://mysite.mycompany.com from a host on the same network where the site was - it worked great. I did a portqry.exe -n mysite.mycompany.com -e 443 and it was successful. That tells me the ISA server was accepting the connections. I tried to access https://mysite.mycompany.com from the Internet and it resolved OK to the respective IP address, but it always failed (DNS error, page cannot be displayed). Then I did a portqry.exe -n mysite.comapany.com -e 443 and it returned 'filtered'. Definitely this was "blocked" somewhere. Then I decided to change the access-list in the Cisco border router and in the PIX firewall from "allow 80" to "allow 8080". The whole thing worked instantly and I was then able to connect to https://mysite.mycompany.com from the Internet. Out of curiosity: I go to the PIX firewall and border router and there is no hitcount for the 8080 access-list. I took traces of client and server connections and I only see traffic on port 443. I went back to the IIS site and changed it from port 8080 to port 8081; I changed the ISA web listener to port 8081. That did not break it, I still can access the site from the Internet. Perhaps this was anomaly that got cleared after I changed the access-list in the router or PIX firewall, because the way I see it is that this 8080 port is doing nothing. [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:eCWtWkjeFHA.2128@TK2MSFTNGP14.phx.gbl... > Well, the issue could be with your: > 1. Checkpoint firewall > 2. network devices between the firewall and ISA Server > 3. ISA Server > 4. network devices between ISA Server and IIS > 5. IIS server > > Can you please describe the steps you took to determine that issues #1 > through #4 were not happening, thus it must be #5 that is causing the > strange behavior? > > Given your current information, the issue seems to be with the Checkpoint > firewall. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Marlon Brown" <nospamarlon@hotmail.com> wrote in message > news:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl... > Correct. It should work over 443, but then the connection from client to > server was successful only upon opening port 8080 in the firewall. This is > the part I can't understand. > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl... >> I'm not certain what your question is about. Can you clarify? >> >> >> Your requests are over https:// , which default to port 443. This means >> that >> for those requests, you should NOT see traffic over HTTP/8080 -- which is >> exactly what you are seeing. So, I'm confused at what behavior you are >> trying to understand because it all looks by-design to me right now. >> >> -- >> //David >> IIS >> http://blogs.msdn.com/David.Wang >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> // >> "Marlon" <marlon-nospam@hotmail.com> wrote in message >> news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... >> Win2003, IIS6. >> Under "Internet Information Services/Web Sites" snap-in, I've created a >> >> "Mysite" site. >> >> If I click "Properties", "Web Site" tab, I see the following information: >> TCP Port=8080 SSL=443 >> >> I published this site via ISA 2004. In ISA I setup a web listener to >> "listen >> on port 8080" and "SSL=443". >> >> Then when I browse >> https://mysite.mycompany.com >> >> I take traces and I see no indication of port 8080 being in use. Netmon >> doesn't show that packets use port 8080 at all neither on the client or >> the >> server during the request to https://mysite.mycompany.com (all the >> communications are happening over SSL). >> >> The strange part is this: >> Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site >> was >> unreachable from the "Internet". >> Perhaps even more strange, after opening the port in the edge firewall >> and >> make the whole thing work, I go back to the edge firewall and I see *no* >> hits in the access-list related to port 8080. >> >> What would this port 8080 be used for this in this situation ? I am >> curious. >> >> >> > > > >
[quoted text, click to view]
>I attempted to access such https://mysite.mycompany.com from > a host on the same network where the site was - it worked great. > I did a portqry.exe -n mysite.mycompany.com -e 443 and it was > successful. That tells me the ISA server was accepting the connections. > I went back to the IIS site and changed it from port 8080 to port > 8081; I changed the ISA web listener to port 8081. That did not > break it, I still can access the site from the Internet. If I understood your configuration correctly, you have just stated that the strange behavior has nothing to do with IIS-related behavior. [quoted text, click to view] >Then I decided to change the access-list in the Cisco border > router and in the PIX firewall from "allow 80" to "allow 8080". > The whole thing worked instantly and I was then able to connect > to https://mysite.mycompany.com from the Internet. It seems that the strange behavior is in this layer somewhere. I do not see IIS involved in here, so the best thing I can suggest is for you to obtain support for your questions from those respective vendors. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Marlon Brown" <nospamarlon@hotmail.com> wrote in message Sure. Here we go:news:urhaQ0qeFHA.256@TK2MSFTNGP14.phx.gbl... First of all, I followed the steps to publish "Sharepoint 2003 - ISA 2004". I don't have a link to this document since it was a hand-out given at MS, but basically the document tells me to go the respective IIS website and assign port 8080 (instead of 80). Then on ISA 2004, I created a publishing rule that it states SSL=443 (note that 80 or 8080 was not selected). In the web listener yes, the instructions told me to do listen on port = 8080 and SSL port=443. In the border router and in the PIX firewall (both devices are "in front of" the ISA 2004) I made sure the access-lists were opened accordingly for both 80 and 443. I attempted to access such https://mysite.mycompany.com from a host on the same network where the site was - it worked great. I did a portqry.exe -n mysite.mycompany.com -e 443 and it was successful. That tells me the ISA server was accepting the connections. I tried to access https://mysite.mycompany.com from the Internet and it resolved OK to the respective IP address, but it always failed (DNS error, page cannot be displayed). Then I did a portqry.exe -n mysite.comapany.com -e 443 and it returned 'filtered'. Definitely this was "blocked" somewhere. Then I decided to change the access-list in the Cisco border router and in the PIX firewall from "allow 80" to "allow 8080". The whole thing worked instantly and I was then able to connect to https://mysite.mycompany.com from the Internet. Out of curiosity: I go to the PIX firewall and border router and there is no hitcount for the 8080 access-list. I took traces of client and server connections and I only see traffic on port 443. I went back to the IIS site and changed it from port 8080 to port 8081; I changed the ISA web listener to port 8081. That did not break it, I still can access the site from the Internet. Perhaps this was anomaly that got cleared after I changed the access-list in the router or PIX firewall, because the way I see it is that this 8080 port is doing nothing. [quoted text, click to view] "David Wang [Msft]" <someone@online.microsoft.com> wrote in message news:eCWtWkjeFHA.2128@TK2MSFTNGP14.phx.gbl... > Well, the issue could be with your: > 1. Checkpoint firewall > 2. network devices between the firewall and ISA Server > 3. ISA Server > 4. network devices between ISA Server and IIS > 5. IIS server > > Can you please describe the steps you took to determine that issues #1 > through #4 were not happening, thus it must be #5 that is causing the > strange behavior? > > Given your current information, the issue seems to be with the Checkpoint > firewall. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no > rights. > // > "Marlon Brown" <nospamarlon@hotmail.com> wrote in message > news:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl... > Correct. It should work over 443, but then the connection from client to > server was successful only upon opening port 8080 in the firewall. This is > the part I can't understand. > "David Wang [Msft]" <someone@online.microsoft.com> wrote in message > news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl... >> I'm not certain what your question is about. Can you clarify? >> >> >> Your requests are over https:// , which default to port 443. This means >> that >> for those requests, you should NOT see traffic over HTTP/8080 -- which is >> exactly what you are seeing. So, I'm confused at what behavior you are >> trying to understand because it all looks by-design to me right now. >> >> -- >> //David >> IIS >> http://blogs.msdn.com/David.Wang >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> // >> "Marlon" <marlon-nospam@hotmail.com> wrote in message >> news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl... >> Win2003, IIS6. >> Under "Internet Information Services/Web Sites" snap-in, I've created a >> >> "Mysite" site. >> >> If I click "Properties", "Web Site" tab, I see the following information: >> TCP Port=8080 SSL=443 >> >> I published this site via ISA 2004. In ISA I setup a web listener to >> "listen >> on port 8080" and "SSL=443". >> >> Then when I browse >> https://mysite.mycompany.com >> >> I take traces and I see no indication of port 8080 being in use. Netmon >> doesn't show that packets use port 8080 at all neither on the client or >> the >> server during the request to https://mysite.mycompany.com (all the >> communications are happening over SSL). >> >> The strange part is this: >> Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site >> was >> unreachable from the "Internet". >> Perhaps even more strange, after opening the port in the edge firewall >> and >> make the whole thing work, I go back to the edge firewall and I see *no* >> hits in the access-list related to port 8080. >> >> What would this port 8080 be used for this in this situation ? I am >> curious. >> >> >> > > > >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |