none
Cisco ASA Clientless VPN issue with IIS 10/Server 2016 SSL Sites…Site Unavailable? RRS feed

  • Question

  • We are experiencing an issue where we cannot browse SSL IIS 10 websites on Server 2016 using Cisco's Clientless VPN.

    We have a Cisco ASA 5510 firewall running firmware 9.1.(7)20 and use ASDM 7.5(2). We have many web servers, but for this issue know we have some Server 2008 R2 6.1 (Build 7601 SP1) with IIS 7.5.7600.16385, Server 2012 R2 Datacenter (6.2 Build 9200) with IIS 8.5.9600.16384, and Server 2016 1607 (Build 14393.1770) with IIS 10.0.14393.0.

    When we attempt to use the Clientless VPN through the firewall to access internal resources, we are unable to view SSL protected sites if they are hosted on Server 2016 with IIS 10. We are able to view both http and https sites through the VPN from Server 2008/IIS 7 and Server 2012/IIS 8, and are able to view http sites through the VPN from Server 2016/IIS 10. If we attempt to access an https site hosted on Server 2016/IIS 10 through the clientless VPN, we get a "URL unavailable" message from the firewall. We have confirmed this on 3 servers.

    We get the same result if the site is secured with either a domain certificate OR a godaddy wildcard certificate. Both types of certificates work for secure resources on Server 2008/Server 2012.

    We performed a wireshark capture between a working 2012 web server and the firewall, as well as a non-working 2016 web server and the firewall. The traffic followed a similar pattern, however on the 2016 Server after the certificate exchange there are no more acknowledgments from the server. At the recommendation of some articles we read, we enabled all ciphers on the firewall hoping to circumvent any incompatibility with encryption protocols, but this resulted in identical behavior. The certificate exchange and ciphers packet capture are identical in both the 2012 and 2016 servers. However after the certificate exchange it looks like the firewall and the server are not encrypting/decrypting traffic correctly.

    We're stuck...we're pretty sure the issue is a new configuration in IIS related to SSL, but we've searched the web and crawled through settings and found nothing. If anyone has made the Clientless VPN work with secure IIS 10 sites, or if anyone has any idea of a configuration in IIS 10 that could help us, we'd be extremely appreciative.
    Thursday, December 21, 2017 6:17 PM

All replies

  • Hi ,

    Since the issue is more related with Cisco's product and we are not familiar with it. I would suggest you contact Cisco vendor for more help.

    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.

    It is also appreciated that the other members in our forum can share their experience with us about this scenario.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 22, 2017 7:19 AM
    Moderator
  • This is a situation where Cisco resources and support seem to think it's a Microsoft/IIS issue, and Microsoft support seems to think it's a Cisco issue.  We're reaching out to the community to hopefully find someone else having a similar issue bridging both worlds.
    Friday, December 22, 2017 3:51 PM
  • Hi ,

    If you want to troubleshoot the issues with IIS, you may post in IIS forum:

    https://forums.iis.net/

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 25, 2017 1:42 AM
    Moderator