ISA Proxy - HTTPS Traffic

Question

We have an ISA 2006 setup for our organisations proxy. It's been working well for the last few months just blocking everything except a few allowed web site and web applications.

We need to allow some people to access a web application hosted off site via HTTPS. I've tried and tried, wasted 3 days on it and have given in.

Can someone please tell me how on earth this is achieved?

Looking at the Monitor, it looks like it passes one rule, then is blocked by the default rule. I just don't unterstand it well enough to take it on further.

Is it actually acting as a web proxy, or just a gateway? – Tom Newton Apr 06 '11 at 15:53 — Tom Newton, Apr 06 '11 at 15:53
It's acting as a proxy. HTTP on 8080 and HTTPS on 8443 – x100 Apr 06 '11 at 16:33 — x100, Apr 06 '11 at 16:33

score 1 · Answer 1 · answered Apr 12 '11 at 23:06

You need a URL or Domain Name set describing the target.

Then, you need an Access Rule.

Allow
- From: Internal (or whatever network the users are on)
- Protocols: HTTP & HTTPS (or just HTTPS)
- To: Target URL Set
- Users: Whomever you want. If setting All Users works, it's an authentication problem.

Caveats:

Authentication must be working in order to do it by user.
the target URL Set for HTTPS needs to be https://domain.com
- possibly http://domain.com (yes, even for SSL, I don't have one to test with but remember some funkiness around that)
- HTTPS targets in URL Sets cannot include a path, because the browser doesn't share that with the proxy. Domain Name Sets would work for this too.
When testing, remember the Two Minute Rule.
- the Two Minute Rule is that ISA will take up to two minutes for the change to kick in, so wait until then before deciding something hasn't worked.

You'll need to post more details about how you're going about it, and the problems you're having - from your description, it could be anything.

Thanks! It was the "domain sets cannot include a path" that did it. Strange puppy ISA. Strange and slighly disgusing puppy. — x100, Apr 13 '11 at 10:47

score 0 · Answer 2 · answered May 09 '23 at 13:28

When you want to acces a HTTPS site on a Non Standard port (other than 443) you need to create a TUNNEL Port Range via ISA or TMG.

In this page: https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc302450(v=technet.10)?redirectedfrom=MSDN there is 3 scripts for View, Add and Delete Tunnle Port Range .. but when you Copy Paste on your local computer you need to be "smart" since they wll not work because some wise guy from MS .. split a line in 3 rowas in a very STONE AGE MANNER :)

In the end you will have on computer 3 files.

Or you can download all work done from here: http://www.bizarnet.ro/TMG_Tunel_Port_Range.zip

I also have this issue since 12 years and clarified 2 weeks ago :)

ISA Proxy - HTTPS Traffic

2 Answers2