ISA Server (HTTPS) & Checkpoint NGX R62

[budgie69]

Hi Guys

Hoping somebody can help out here.

We currently have all our client machines point to the ISA Server for web proxy.

We then have a rule in Checkpoint that says;
ISA Server to Anywhere using http and https accept.

HTTP traffic works fine, however https traffic is dropped by the firewall. How does one get round this problem?

Thanks in advance

[MarioL]

Go and check on the log viewer (SmartView Tracker), do a filter by source and check why the traffic is being dropped. Check rule number, etc.

It can be a lot of things, like anti-spoofing (if the ISA has multiple interfaces, but very unlikely), error in policy configuration or NAT (unlikely), rule order, etc.

[budgie69]

Thanks for the reply -

i am seeing the traffic get dropped but no reason why. The traffic is being dropped by the cleanup rule.

Number: 25069
Date: 30Apr2008
Time: 10:34:34
Product: VPN-1 Power/UTM
Interface: eth2c0
Origin: nk-firewall
Type: Log
Action: Drop
Protocol: tcp
Service: https (443)
Source: 10.72.x.x
Destination: 212.x.x.x
Rule: 73
Current Rule Number: 73
Rule UID: {29FF8150-E789-41C3-B52D-D25CD6D95182}
Source Port: 1185
SmartDefense Profile: No Protection


Would this be something to do with the way ISA Server forwards the HTTPS packet to the firewall, and then the firewall can't inspect the packet?

[RayPesek]

ISA works perfectly behind FW-1. Check to make sure your HTTPS service definition is set up correctly. Check to make sure you're really using HTTPS in the rule and not SSL_V3. The two are not the same.

Ray

[MarioL]

If the traffic is being dropped on the last rule that means it isn't matching the HTTPS rule you created, so go and double check it.

Check source, service, etc. (if you have multiple firewalls, make sure it's being applied to the right one)

[budgie69]

Quote:

Originally Posted by RayPesek

ISA works perfectly behind FW-1. Check to make sure your HTTPS service definition is set up correctly. Check to make sure you're really using HTTPS in the rule and not SSL_V3. The two are not the same.

Ray

This is how i have got the https service configured, i am correct?

[MarioL]

Nope, in the Protocol Type drop-down box it should have ENC-HTTP.

[budgie69]

changed to ENC_HTTP and packets are still being dropped by the cleanup rule.

Do i have to do anything with the https packets that leave the ISA server? i know this is probably the wrong forum.

[RayPesek]

Did you push the policy after making the change?

It has nothing to do with the ISA packets. What you're trying to do is alredy being done by tons of companies.

Ray