|
Home > Archive > IIS Server Security > June 2005 > Trying to understand this behavior, Ports in IIS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Trying to understand this behavior, Ports in IIS
|
|
| Marlon 2005-06-24, 5:59 pm |
| Win2003, IIS6.
Under "Internet Information Services/Web Sites" snap-in, I've created a
"Mysite" site.
If I click "Properties", "Web Site" tab, I see the following information:
TCP Port=8080 SSL=443
I published this site via ISA 2004. In ISA I setup a web listener to "listen
on port 8080" and "SSL=443".
Then when I browse
https://mysite.mycompany.com
I take traces and I see no indication of port 8080 being in use. Netmon
doesn't show that packets use port 8080 at all neither on the client or the
server during the request to https://mysite.mycompany.com (all the
communications are happening over SSL).
The strange part is this:
Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site was
unreachable from the "Internet".
Perhaps even more strange, after opening the port in the edge firewall and
make the whole thing work, I go back to the edge firewall and I see *no*
hits in the access-list related to port 8080.
What would this port 8080 be used for this in this situation ? I am curious.
| |
| David Wang [Msft] 2005-06-25, 5:50 pm |
| I'm not certain what your question is about. Can you clarify?
Your requests are over https:// , which default to port 443. This means that
for those requests, you should NOT see traffic over HTTP/8080 -- which is
exactly what you are seeing. So, I'm confused at what behavior you are
trying to understand because it all looks by-design to me right now.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Marlon" <marlon-nospam@hotmail.com> wrote in message
news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl...
Win2003, IIS6.
Under "Internet Information Services/Web Sites" snap-in, I've created a
"Mysite" site.
If I click "Properties", "Web Site" tab, I see the following information:
TCP Port=8080 SSL=443
I published this site via ISA 2004. In ISA I setup a web listener to "listen
on port 8080" and "SSL=443".
Then when I browse
https://mysite.mycompany.com
I take traces and I see no indication of port 8080 being in use. Netmon
doesn't show that packets use port 8080 at all neither on the client or the
server during the request to https://mysite.mycompany.com (all the
communications are happening over SSL).
The strange part is this:
Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site was
unreachable from the "Internet".
Perhaps even more strange, after opening the port in the edge firewall and
make the whole thing work, I go back to the edge firewall and I see *no*
hits in the access-list related to port 8080.
What would this port 8080 be used for this in this situation ? I am curious.
| |
| Marlon Brown 2005-06-25, 8:47 pm |
| Correct. It should work over 443, but then the connection from client to
server was successful only upon opening port 8080 in the firewall. This is
the part I can't understand.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl...
> I'm not certain what your question is about. Can you clarify?
>
>
> Your requests are over https:// , which default to port 443. This means
> that
> for those requests, you should NOT see traffic over HTTP/8080 -- which is
> exactly what you are seeing. So, I'm confused at what behavior you are
> trying to understand because it all looks by-design to me right now.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Marlon" <marlon-nospam@hotmail.com> wrote in message
> news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl...
> Win2003, IIS6.
> Under "Internet Information Services/Web Sites" snap-in, I've created a
>
> "Mysite" site.
>
> If I click "Properties", "Web Site" tab, I see the following information:
> TCP Port=8080 SSL=443
>
> I published this site via ISA 2004. In ISA I setup a web listener to
> "listen
> on port 8080" and "SSL=443".
>
> Then when I browse
> https://mysite.mycompany.com
>
> I take traces and I see no indication of port 8080 being in use. Netmon
> doesn't show that packets use port 8080 at all neither on the client or
> the
> server during the request to https://mysite.mycompany.com (all the
> communications are happening over SSL).
>
> The strange part is this:
> Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site
> was
> unreachable from the "Internet".
> Perhaps even more strange, after opening the port in the edge firewall and
> make the whole thing work, I go back to the edge firewall and I see *no*
> hits in the access-list related to port 8080.
>
> What would this port 8080 be used for this in this situation ? I am
> curious.
>
>
>
| |
| David Wang [Msft] 2005-06-26, 7:48 am |
| Well, the issue could be with your:
1. Checkpoint firewall
2. network devices between the firewall and ISA Server
3. ISA Server
4. network devices between ISA Server and IIS
5. IIS server
Can you please describe the steps you took to determine that issues #1
through #4 were not happening, thus it must be #5 that is causing the
strange behavior?
Given your current information, the issue seems to be with the Checkpoint
firewall.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Marlon Brown" <nospamarlon@hotmail.com> wrote in message
news:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl...
Correct. It should work over 443, but then the connection from client to
server was successful only upon opening port 8080 in the firewall. This is
the part I can't understand.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl...
> I'm not certain what your question is about. Can you clarify?
>
>
> Your requests are over https:// , which default to port 443. This means
> that
> for those requests, you should NOT see traffic over HTTP/8080 -- which is
> exactly what you are seeing. So, I'm confused at what behavior you are
> trying to understand because it all looks by-design to me right now.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Marlon" <marlon-nospam@hotmail.com> wrote in message
> news:eNNYszMeFHA.2520@TK2MSFTNGP09.phx.gbl...
> Win2003, IIS6.
> Under "Internet Information Services/Web Sites" snap-in, I've created a
>
> "Mysite" site.
>
> If I click "Properties", "Web Site" tab, I see the following information:
> TCP Port=8080 SSL=443
>
> I published this site via ISA 2004. In ISA I setup a web listener to
> "listen
> on port 8080" and "SSL=443".
>
> Then when I browse
> https://mysite.mycompany.com
>
> I take traces and I see no indication of port 8080 being in use. Netmon
> doesn't show that packets use port 8080 at all neither on the client or
> the
> server during the request to https://mysite.mycompany.com (all the
> communications are happening over SSL).
>
> The strange part is this:
> Prior to 'open' port 8080 in our main edge Checkpoint firewall, the site
> was
> unreachable from the "Internet".
> Perhaps even more strange, after opening the port in the edge firewall and
> make the whole thing work, I go back to the edge firewall and I see *no*
> hits in the access-list related to port 8080.
>
> What would this port 8080 be used for this in this situation ? I am
> curious.
>
>
>
| |
| Marlon Brown 2005-06-26, 8:47 pm |
| Sure. Here we go:
First of all, I followed the steps to publish "Sharepoint 2003 - ISA 2004".
I don't have a link to this document since it was a hand-out given at MS,
but basically the document tells me to go the respective IIS website and
assign port 8080 (instead of 80).
Then on ISA 2004, I created a publishing rule that it states SSL=443 (note
that 80 or 8080 was not selected). In the web listener yes, the instructions
told me to do listen on port = 8080 and SSL port=443.
In the border router and in the PIX firewall (both devices are "in front of"
the ISA 2004) I made sure the access-lists were opened accordingly for both
80 and 443.
I attempted to access such https://mysite.mycompany.com from a host on the
same network where the site was - it worked great. I did a portqry.exe -n
mysite.mycompany.com -e 443 and it was successful. That tells me the ISA
server was accepting the connections.
I tried to access https://mysite.mycompany.com from the Internet and it
resolved OK to the respective IP address, but it always failed (DNS error,
page cannot be displayed).
Then I did a portqry.exe -n mysite.comapany.com -e 443 and it returned
'filtered'. Definitely this was "blocked" somewhere.
Then I decided to change the access-list in the cisco border router and in
the PIX firewall from "allow 80" to "allow 8080".
The whole thing worked instantly and I was then able to connect to
https://mysite.mycompany.com from the Internet.
Out of curiosity:
I go to the PIX firewall and border router and there is no hitcount for the
8080 access-list.
I took traces of client and server connections and I only see traffic on
port 443.
I went back to the IIS site and changed it from port 8080 to port 8081; I
changed the ISA web listener to port 8081. That did not break it, I still
can access the site from the Internet.
Perhaps this was anomaly that got cleared after I changed the access-list in
the router or PIX firewall, because the way I see it is that this 8080 port
is doing nothing.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:eCWtWkjeFHA.2128@TK2MSFTNGP14.phx.gbl...
> Well, the issue could be with your:
> 1. Checkpoint firewall
> 2. network devices between the firewall and ISA Server
> 3. ISA Server
> 4. network devices between ISA Server and IIS
> 5. IIS server
>
> Can you please describe the steps you took to determine that issues #1
> through #4 were not happening, thus it must be #5 that is causing the
> strange behavior?
>
> Given your current information, the issue seems to be with the Checkpoint
> firewall.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Marlon Brown" <nospamarlon@hotmail.com> wrote in message
> news:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl...
> Correct. It should work over 443, but then the connection from client to
> server was successful only upon opening port 8080 in the firewall. This is
> the part I can't understand.
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl...
>
>
>
>
| |
| David Wang [Msft] 2005-06-27, 7:55 am |
| >I attempted to access such https://mysite.mycompany.com from
> a host on the same network where the site was - it worked great.
> I did a portqry.exe -n mysite.mycompany.com -e 443 and it was
> successful. That tells me the ISA server was accepting the connections.
> I went back to the IIS site and changed it from port 8080 to port
> 8081; I changed the ISA web listener to port 8081. That did not
> break it, I still can access the site from the Internet.
If I understood your configuration correctly, you have just stated that the
strange behavior has nothing to do with IIS-related behavior.
>Then I decided to change the access-list in the cisco border
> router and in the PIX firewall from "allow 80" to "allow 8080".
> The whole thing worked instantly and I was then able to connect
> to https://mysite.mycompany.com from the Internet.
It seems that the strange behavior is in this layer somewhere. I do not see
IIS involved in here, so the best thing I can suggest is for you to obtain
support for your questions from those respective vendors.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Marlon Brown" <nospamarlon@hotmail.com> wrote in message
news:urhaQ0qeFHA.256@TK2MSFTNGP14.phx.gbl...
Sure. Here we go:
First of all, I followed the steps to publish "Sharepoint 2003 - ISA 2004".
I don't have a link to this document since it was a hand-out given at MS,
but basically the document tells me to go the respective IIS website and
assign port 8080 (instead of 80).
Then on ISA 2004, I created a publishing rule that it states SSL=443 (note
that 80 or 8080 was not selected). In the web listener yes, the instructions
told me to do listen on port = 8080 and SSL port=443.
In the border router and in the PIX firewall (both devices are "in front of"
the ISA 2004) I made sure the access-lists were opened accordingly for both
80 and 443.
I attempted to access such https://mysite.mycompany.com from a host on the
same network where the site was - it worked great. I did a portqry.exe -n
mysite.mycompany.com -e 443 and it was successful. That tells me the ISA
server was accepting the connections.
I tried to access https://mysite.mycompany.com from the Internet and it
resolved OK to the respective IP address, but it always failed (DNS error,
page cannot be displayed).
Then I did a portqry.exe -n mysite.comapany.com -e 443 and it returned
'filtered'. Definitely this was "blocked" somewhere.
Then I decided to change the access-list in the cisco border router and in
the PIX firewall from "allow 80" to "allow 8080".
The whole thing worked instantly and I was then able to connect to
https://mysite.mycompany.com from the Internet.
Out of curiosity:
I go to the PIX firewall and border router and there is no hitcount for the
8080 access-list.
I took traces of client and server connections and I only see traffic on
port 443.
I went back to the IIS site and changed it from port 8080 to port 8081; I
changed the ISA web listener to port 8081. That did not break it, I still
can access the site from the Internet.
Perhaps this was anomaly that got cleared after I changed the access-list in
the router or PIX firewall, because the way I see it is that this 8080 port
is doing nothing.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:eCWtWkjeFHA.2128@TK2MSFTNGP14.phx.gbl...
> Well, the issue could be with your:
> 1. Checkpoint firewall
> 2. network devices between the firewall and ISA Server
> 3. ISA Server
> 4. network devices between ISA Server and IIS
> 5. IIS server
>
> Can you please describe the steps you took to determine that issues #1
> through #4 were not happening, thus it must be #5 that is causing the
> strange behavior?
>
> Given your current information, the issue seems to be with the Checkpoint
> firewall.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Marlon Brown" <nospamarlon@hotmail.com> wrote in message
> news:%23nuE0LeeFHA.688@TK2MSFTNGP14.phx.gbl...
> Correct. It should work over 443, but then the connection from client to
> server was successful only upon opening port 8080 in the firewall. This is
> the part I can't understand.
> "David Wang [Msft]" <someone@online.microsoft.com> wrote in message
> news:OK$olWdeFHA.1384@TK2MSFTNGP09.phx.gbl...
>
>
>
>
|
|
|
|
|