ISA firewall is also a network firewall and a web proxy server. The firewall component of ISA Server allows it to perform packet filtering and application layer status identification; and the web proxy component allows it as a CERN-compatible HTTP 1.1 web proxy server. Web proxy components (actually the web proxy filter inside the ISA Server 2004 firewall) can decode HTTP communication, perform application layer state filtration, and then rebuild HTTP communication when forwarding to external destination web servers.
However, the SSL connection established between the host and an external network in the network protected by the ISA firewall and an external network is a bit different. When the internal host initiates an SSL request via the ISA firewall, ISA firewall can check HTTP Head or according to the access rules; however, when the SSL is connected between the SSLs, 谒 浯 涞 涞 菔 薙 薙 SL Tunnel encryption, ISA firewall will no longer check them Transferred data.
The process of establishing an SSL tunnel between internal web clients and destination web servers is shown below:
1. Internal web customers initiate a request for the SSL object of the destination web server by initiating the address bar of the web browser, such as
HTTPS: URL_NAME
2, the user will send this request to the 8080 port of the ISA firewall (the default web proxy listening port);
Connect URL_NAME: 443 HTTP / 1.1
3, ISA firewall connection destination Web server 443 port;
4. After the connection is established, the ISA firewall returns data to web customers;
HTTP / 1.0 200 Connection Establish
From this time, customers are directly communicated with external web server, and no longer pass through the ISA firewall web proxy component, so ISA firewalls can not perform application layer status identification to data and commands encapsulated in the SSL tunnel.
When the external web server uses standard SSL port TCP 443, everything is normal, but sometimes your web proxy customers use other ports to access SSLWeb sites, for example, web proxy customers may use port 4433 Alternative 443 to access the bank's Web site, this will cause the SNAT client and firewall customer to generate an error, because the ISA firewall will forward SNAT customers and firewall client HTTP connections to the web proxy filter, customers may see blank page or point out this page The error page that cannot be accessed.
This question is that the web proxy filter will forward SSL to TCP port 443. If the customer wants to connect to the SSL site that does not use the TCP 443 port, the connection attempt will fail. You can solve this problem by extending the SSL tunnel port range. To do this, you need to download the Jim Harrison script, then enter the range of SSL tunnel port you want to use by the ISA Firewall Web Proxy component.
Perform the following steps to extend the SSL tunnel port range:
Download ISA_TPR.JS file, (http://down.isacn.org/isa_tpr.js), then copy it to the ISA firewall computer. Note, do not use browsers on the ISA firewall, do not run other client programs on the ISA firewall, such as email clients, etc.
Double click to run ISA_TPR.JS, on the first dialog box, you can see your current status information "this is your current tunnel port range list", click OK;
At this time, the NNTP port is displayed, click OK;
Then, the SSL port is displayed, click OK;
Copy the ISA_TPR.JS this file to the root directory, then open a naming prompt window, enter the following command: Isa_tpr.js /?
You will see the following dialog:
In order to add a new SSL tunnel port, for example, 8848, enter the following name, knock back to the car;
CScript isa_tpr.js / add ext8848 8848
At this point, you can see the following information, prompting you to run successfully.
In addition, you can download the .NET program, isatpre.zip (http://down.isacn.org/isatrpe.zip) written, isatpre.zip (http://down.isacn.org/isatrpe.zip), and then install it on the ISA firewall. This program provides a simpler way to allow you to modify the SSL tunnel port range. The following figure is the run interface of this program:
Enter the port range and name you want to define, then click the Add Tunnel Range button, click Refresh, you can see the new SSL tunnel port range in the list.
Note that the above situations are just through the web proxy filter, if you cancel the ISA firewall, the HTTP access to the ISA firewall will not forward to the web agent through the ISA firewall. filter. At this point, you can implement access to the Web site of the external non-standard SSL port (TCP 443) by defining protocols using other SSL ports and allows an outbound access rule that allows access to this protocol.
