Allow SSL request on an additional port : TMG / ISA

Angelo Schalley
Jul, 28, 2011
ISA/TMG, Networking, security, Windows-Microsoft
No Comments

“12204 The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.”

This is the log error you will see on TMG when attempting to connect to a site on a nonstandard SSL port. In my example the port is 10443 but of course if you are not using 443 it might as well be anything.

This is because be default TMG will only allow HTTPS connections on 443. This is know as the Tunnel Port Ranges or TPranges. To add your non standard port number or a range, you will need to run some scripts. You only need to run this on one of the array member since this is an array setting.

The Add TP Range Script
Create a text file and copy the following into it. Save the file as AddPort.vbs

Dim root
Dim tpRanges
Dim newRange
Set root = CreateObject(“FPC.Root”)
Set tpRanges = root.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges
set newRange = tpRanges.AddRange(“SSL 10443”, 10443, 10443)
tpRanges.Save

NOTE: (“The name” , The start port number, the end port number)

From a command prompt run the script with “cscript AddTPPort.vbs” There is no feedback form this script to let you know it succeeded. You will now have to restart the firewall service on each of the TMG nodes in that array.

To verify that the port has been added you can attempt to connect a remote site on that port number. You can also run a script to show the current TPRanges

The List TP Ranges Script

Create and execute the script the same as the script above.

Dim root

Set root = CreateObject(“FPC.Root”)

Dim isaArray

Dim tpRanges

Dim tpRange

Set isaArray = root.GetContainingArray()

Set tpRanges = isaArray.ArrayPolicy.WebProxy.TunnelPortRanges

For Each tpRange In tpRanges

WScript.Echo tpRange.Name & “: ” & tpRange.TunnelLowPort & “-” & tpRange.TunnelHighPort

The result from this script should now be:

C:\Users\aa\Desktop>cscript listportss.vbs

Microsoft (R) Windows Script Host Version 5.8

NNTP: 563-563

SSL: 443-443

SSL 10443: 10443-10443

The ports specified in the addtpport.vbs script should now also show up. These additional ports can of course also be deleted.

The following article on TechNet has more info and some longer script versions, including a delete script

http://technet.microsoft.com/en-us/library/cc302450.aspx

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Allow SSL request on an additional port : TMG / ISA

Allow SSL request on an additional port : TMG / ISA

Leave a Reply

Categories