SSTP and ISA Server 2006 non-web server rule RRS feed

  • Question

  • Hey,

    I tried to setup SSTP with an ISA server, Windows 2008 VPN server etc.

    My setup is that the ISA is behind an Cisco ASA box, for edge filtering (and nothing else). and the ISA has public IP's on the external side.

    My Windows 2008 server is on the inside with two nics (both on the inside). One dedicated to the ISA server and one as a DHCP relay interface.

    When I made my ISA server server publishing rule, I followed the MS lab gude as well as isa-server.org guides. And made a NON-web server publishing rule. I use NLB on the outside, so I dedicated an IP for the SSL/SSTP rule. Made a record in the outside DNS for test, and made the SSTP server certificate out to that name. Straight forward.

    BUT - on the ISA server when I go a live log when the client tries to connect I see the traffic as HTTPS and not HTTPS server traffic, and it is then denied by the default deny rule. As the server publishing rule doesn't catch it.

    Is that the ASA box that does something to the package, or am I doing it all wrong?

    Any thoughts and ideas are welcome.. Should I instead use the ISA as a SSL terminator and then create a listener, and configure the SSTP server to use port 80 and not SSL?
    Kind regards, Jesper Bagh
    Friday, July 3, 2009 12:29 PM

All replies

  • Hi Jesper,

    Some questions for you:
    Q1 - "Windows 2008 server is on the inside with two nics (both on the inside)" - why? Having two NICs in the same subnet isn't functional.
    Q2 - Do you have a Web listener operating on the same IP address as the server publishing rule?
    Q3 - Do you see resource allocation errors in teh Windows Application event log or the ISA Alerts?
    Q4 - you don't say - is ISA operating on two NICs?

    Some answers:
    A1 - No; you cannot use ISA to Web-publish SSTP. TMG answers this need.
    A2 - Given your ISA log information, I doubt that the ASA is doing anything ISA couldn't do for itself (and cheaper).

    Jim Harrison Forefront Edge CS
    Monday, July 6, 2009 9:14 PM
  • Hi Jim,

    Thank you for your reply.

    A1> I know - reconfigured the W2k8 with only one nic.
    A2> No - seperate NLB address for the server publishing rule and seperate DNS entry on the outside for it.
    A3> No errors on the ISA server , other than it failing in the live logs caught by the default rule.
    A4> Yes (Actually three) since it is also doing SCMDM firewalling and web listeners for the enrollment. (so - outside, dmz, inside)

    Cannot figure it out... Why the traffic doesn't hit the non-web publishing rule. The rule states HTTPS Server as traffic and in the live log I see HTTPS traffic coming in. But I cannot choose HTTPS traffic in the rule (it beeing outbound) and https server beeing inbound. But why is the traffic showing in the log as beeing outbound ??

    Kind regards, Jesper Bagh
    Tuesday, July 7, 2009 7:00 AM
  • When you see ther traffic being handled this way, it usually indicates pthat it was processed by the Web proxy; which by extension means that a Web listener is processing the traffic and passing it through Web publishing rules only.
    A2 - doesn't answer the question of web listener configuration. if you have one web listener operating on "all addresses" on hte same network, the server publishing rule cannot work.
    Jim Harrison Forefront Edge CS
    Tuesday, July 7, 2009 5:14 PM
  • I do not have a listener where all addresses are configured. All listerners have own nlb addresses. I have the server publishing rule as rule nr. 1

    Kind regards, Jesper Bagh
    Wednesday, July 8, 2009 7:00 AM
  • Hey,

    Thank you for your reply.

    Those were the guides I followed to the letter... As I stated in my original mail.

    The problem here is that I have 15 NLB Addresses on the public interface, which is behind an ASA box. 14 web listeners and 1 non-web listerner. And that non-web listerner is the server publishing rule for SSTP. And that do not catch the traffic, it is beeing caught by the default deny rule as HTTPS and not HTTPS Server as I defined, per guides, in the server publishing rule.


    Kind regards, Jesper Bagh
    Wednesday, July 15, 2009 6:34 AM
  • The rule setup:

    Network rule - external -> internal (route)

    Non-web server publishing rule:

    From : Anywhere
    Traffic: (HTTPS server traffic) 
    To: internal IP address (SSTP w2k8 server) (requests appear to come from original client)
    Networks:  External - only listens on a single IP that I have defined in NLB settings in ISA

    So my question is : Why do I see the traffic beeing denied by the default rule - but as HTTPS traffic and not caught by the rule as HTTPS traffic.... ?

    Kind regards, Jesper Bagh
    Monday, July 20, 2009 10:57 AM
  • The only way to know that is to gather an ISABPA data package (IDP).

    Please get ISABPA from www.isabpa.com and install it on the ISA

    ..at the ISA…

    1. Start | All Programs | Microsoft ISA Server | ISA Tools | ISA Data Packager

    2. Select Collect data using one of the following repro scenarios

    3. Select Web Proxy and Web publishing

    4. Click Next

    5. In the next page, click Start data collection

    ..IDP will run  through its preparatory process

    6. when prompted, hit <space> to start the data capturing

    ..at the client…

    7. Perform your repro

    ..at the ISA …

    8. Wait a few seconds and hit <space> again to stop the capture


    Respond here with a link to the data including a list of relevant IPs (client, ISA, remote).

    Jim Harrison Forefront Edge CS
    • Marked as answer by James Kilner Wednesday, June 9, 2010 10:59 AM
    • Unmarked as answer by Jesper Bagh Thursday, June 10, 2010 7:35 AM
    Thursday, July 23, 2009 3:33 PM
  • will do
    Kind regards, Jesper Bagh
    Friday, July 31, 2009 11:47 AM
  • Jesper,

    If you still want this thread to stay open, please post the information that Jim requested.


    Tuesday, September 28, 2010 8:13 AM