Blank page or page cannot be displayed when you view SSL sites through ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition

Article translations Article translations
Article ID: 283284 - View products that this article applies to.
This article was previously published under Q283284
Expand all | Collapse all

SUMMARY

If Microsoft Internet Explorer is configured to reference a server that is running Microsoft Internet Security and Acceleration (ISA) Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition as a Web proxy server, when you try to view a Secure Sockets Layer (SSL) Web site on the Internet by using a port other than 443, a blank page may appear with "Page cannot be displayed" in the title bar. Or, you may receive the following error message:
page cannot be displayed
Note Connections to the Microsoft Windows Small Business Server 2003, Premium Edition https://companyweb are also affected because https://companyweb is configured to use port 444 for SSL connections instead of the standard SSL port 443.

MORE INFORMATION

Note The VBScript uses a COM application programming interface that is supported by ISA Server to create the required settings in ISA storage. ISA maintains storage differently based on the ISA version, as follows:
  • ISA Server 2000 Standard Edition, ISA Server 2000 Enterprise Edition (Standalone mode), and ISA Server 2004 Standard Edition: ISA storage is maintained in the registry.
  • ISA Server 2000 Enterprise Edition: ISA Storage is maintained in Active Directory.
  • ISA Server 2004 Enterprise Edition: ISA Storage is maintained in Active Directory Application mode (Configuration Storage Server).
  • ISA Server 2006 Enterprise Edition: ISA Storage is maintained in Active Directory Application mode (Configuration Storage Server).
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition: Microsoft Forefront Threat Management Gateway, Medium Business Edition storage is maintained in Active Directory Lightweight Directory Service (Configuration Storage Server).
Manually editing ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition storage where COM APIs that are supported by ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server exist is not supported.

A separate GUID is listed for each tunnel port.

With Secure Socket Layer (SSL) tunneling, a client can establish a tunnel through ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server directly to the Web server by using the requested HTTPS object. Whenever a client browser requests an HTTPS object through ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server, it uses SSL tunneling. SSL tunneling works by default for outgoing client requests to ports 443 and 563. You can add SSL tunneling for additional ports by setting the FPCTunnelPortRange object, an ISA Server Admin COM object.

The FPCTunnelPortRange object provides access to the tunnel port range. A tunnel port enables ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server to work as a data pump for communication to particular ports on an external server. This process effectively bypasses the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server protocol rules and ensures that the external port ranges for which this is possible, are set by default to 443-443 for the single port 443 (SSL), and to 563-563 for the single port 563 (NNTP). You can use the FPCTunnelPortRange object to change the port range in which a tunnel port can be created.

The following Visual Basic Scripting Edition script (VBScript) is an example of how to add ports to the tunnel port range:
set isa=CreateObject("FPC.Root")
set tprange=isa.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges
set tmp=tprange.AddRange("SSL 9443", 9443, 9443)
tprange.Save
"A restart of the Microsoft Firewall Service is required after you run the script"

To add a tunnel port range with Microsoft Internet Security and Acceleration (ISA) Server 2004, this VBScript script will add port 10000:
Dim root 
Dim tpRanges 
Dim newRange 
Set root = CreateObject("FPC.Root")
Set tpRanges = root.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges
set newRange = tpRanges.AddRange("SSL 10000", 10000, 10000)
tpRanges.Save
Note This script does not produce any output if it succeeds. If you run it again, it will produce an error because the range being set already exists.

When you view a trace from a client behind ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server that points to Web Proxy, the following error message may appear:
HTTP/1.1 502 Proxy Error (The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.)

REFERENCES

For more information about managing tunnel port ranges in ISA Server 2004, visit the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/managingtunnelports.mspx
For more information, see the ISA Server Software Development Kit.

Properties

Article ID: 283284 - Last Review: August 28, 2009 - Revision: 11.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Windows Essential Business Server 2008 Standard
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition
Keywords: 
kbhowto kbtunneling KB283284

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com