Article ID: 283284 - View products that this article applies to.
This article was previously published under Q283284
If Microsoft Internet Explorer is configured to reference a server that is running Microsoft Internet Security and Acceleration (ISA) Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition as a Web proxy server, when you try to view a Secure Sockets Layer (SSL) Web site on the Internet by using a port other than 443, a blank page may appear with "Page cannot be displayed" in the title bar. Or, you may receive the following error message:
Note Connections to the Microsoft Windows Small Business Server 2003, Premium Edition https://companyweb are also affected because https://companyweb is configured to use port 444 for SSL connections instead of the standard SSL port 443.
page cannot be displayed
Note The VBScript uses a COM application programming interface that is supported by ISA Server to create the required settings in ISA storage. ISA maintains storage differently based on the ISA version, as follows:
A separate GUID is listed for each tunnel port.
With Secure Socket Layer (SSL) tunneling, a client can establish a tunnel through ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server directly to the Web server by using the requested HTTPS object. Whenever a client browser requests an HTTPS object through ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server, it uses SSL tunneling. SSL tunneling works by default for outgoing client requests to ports 443 and 563. You can add SSL tunneling for additional ports by setting the FPCTunnelPortRange object, an ISA Server Admin COM object.
The FPCTunnelPortRange object provides access to the tunnel port range. A tunnel port enables ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server to work as a data pump for communication to particular ports on an external server. This process effectively bypasses the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server protocol rules and ensures that the external port ranges for which this is possible, are set by default to 443-443 for the single port 443 (SSL), and to 563-563 for the single port 563 (NNTP). You can use the FPCTunnelPortRange object to change the port range in which a tunnel port can be created.
The following Visual Basic Scripting Edition script (VBScript) is an example of how to add ports to the tunnel port range:
"A restart of the Microsoft Firewall Service is required after you run the script"
To add a tunnel port range with Microsoft Internet Security and Acceleration (ISA) Server 2004, this VBScript script will add port 10000:
Note This script does not produce any output if it succeeds. If you run it again, it will produce an error because the range being set already exists.
When you view a trace from a client behind ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition Server that points to Web Proxy, the following error message may appear:
HTTP/1.1 502 Proxy Error (The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.)
For more information about managing tunnel port ranges in ISA Server 2004, visit the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/managingtunnelports.mspxFor more information, see the ISA Server Software Development Kit.
Article ID: 283284 - Last Review: August 28, 2009 - Revision: 11.0