Unable to connect through MS ISA2004 server

[rubber_chicken]

Hi,

I'm trying to connect to an external suppliers SSL VPN connection. I sit behind a MS ISA 2004 server. I get to the Checkpoint authentication page, enter my credentials and then whilst it sets up the connection I get another request for credentials.

The pop-up is "Realm proxy-caching web server "

No credentials I have found work.

My ISA server allows anonymous connections. This connection works when I try it over my home DSL connection so I know the remote credentials are correct and not locked out.

So, it looks like an ISA problem, but I thought this was supposed to go through all proxies.

Any ideas?

All help is appreciated.

[RayPesek]

Oddly, I spent today from behind an ISA 2004 server (which is behind FW-1) to connect to a test Connectra NGX R61 box that's on a cable modem on the Internet (my R60 to R61 upgrade test box).

When I did this same thing to Connectra NGX R60, I got the same proxy prompt and could enter my credentials as "domain\user" and get through ISA (I do require authentication through ISA). I haven't gotten it once connecting to Connectra NGX R61 with its version of the SSL Network Extender.

One of the fixes in Connectra NGX R61 is improved authentication through proxy servers, yet you say ISA does not require authentication. Do you know what version of Connectra they're using?

Ray

[rubber_chicken]

Hi,

Sorry for the delay in responding. Not too sure what version they are running. I'll go away and see if I can find out. I don't suppose the connection website gives me any clues?

Cheers

[RayPesek]

If they have it set up so you have to select "current browser" or the "Integrity Secure Browser", it's not R61. The Integrity Secure Browser was removed in R61 in favor of a "Secure Workspace" or whatever it's called.

They may not give you the ISB selection, so if it's not there, it's not definitive. I don't know if the ISB was there before Connectra NGX.

Both the login screen and the SSL Network Extender in R61 have a 2004-2006 copyright date on its screen while the R60 one has a 2004-2005 date.

I looked at the release notes and confirmed that R61 will work through ISA with either NTLM (Integrated) authentication or Basic authentication. R60 only worked through ISA with Basic authentication.

If your ISA server in fact has authentication required and Basic was not enabled and they are pre-R61, that could cause what you're seeing.

Ray

[stextor]

I have this same issue with R60. I vpn in, try to connect to an http site and then login and get redirected to an https site. When I do this I get a "page not found". What I have found as a workaround is to set the "protocol type" to http_non_standard. Go to the properties of your http protocol.. click advanced.. use the drop down list to change it from http to http_non_standard. The only caveate is when you close the browser (or even logoff) the IE browser locks up.

In the meantime we upgraded to SP2 on our ISA servers. Still didn't help unless http_non_standard is selected.

Anyone know the difference between http and http_non_standard?

[RayPesek]

Sorry, I don't know the difference. Is this the topology?

You behind ISA 2004 -> Internet -> Connect to Connectra behind some kind of firewall -> connect to internal HTTP server -> redirect to HTTPS server

However if you installed ISA 2004 SP2, make sure you also installed the post-SP2 hotfix or you will have other headaches: http://support.microsoft.com/kb/916106/en-us

Are you traversing ISA 2004 as a SecureNAT client, a firewall client and/or a web proxy client?

Ray