Allow SSL request on an additional port : TMG / ISA

Allow SSL request on an additional port : TMG / ISA

“12204 The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.”

This is the log error you will see on TMG when attempting to connect to a site on a nonstandard SSL port.  In my example the port is 10443 but of course if you are not using 443 it might as well be anything.

This is because be default TMG will only allow HTTPS connections on 443.  This is know as the Tunnel Port Ranges or TPranges.  To add your non standard port number or a range, you will need to run some scripts.  You only need to run this on one of the array member since this is an array setting.

The Add TP Range Script
Create a text file and copy the following into it.  Save the file as AddPort.vbs

Dim root
Dim tpRanges
Dim newRange
Set root = CreateObject(“FPC.Root”)
Set tpRanges = root.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges
set newRange = tpRanges.AddRange(“SSL 10443”, 10443, 10443)

NOTE:  (“The name”  , The start port number, the end port number)
From a command prompt run the script with “cscript AddTPPort.vbs” There is no feedback form this script to let you know it succeeded. You will now have to restart the firewall service on each of the TMG nodes in that array.
To verify that the port has been added you can attempt to connect a remote site on that port number.   You can also run a script to show the current TPRanges
The List TP Ranges Script
Create and execute the script the same as the script above.

Dim root
Set root = CreateObject(“FPC.Root”)
Dim isaArray
Dim tpRanges
Dim tpRange
Set isaArray = root.GetContainingArray()
Set tpRanges = isaArray.ArrayPolicy.WebProxy.TunnelPortRanges
For Each tpRange In tpRanges
WScript.Echo tpRange.Name & “: ” & tpRange.TunnelLowPort & “-” & tpRange.TunnelHighPort
The result from this script should now be:
C:\Users\aa\Desktop>cscript listportss.vbs
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
NNTP: 563-563
SSL: 443-443
SSL 10443: 10443-10443
The ports specified in the addtpport.vbs script should now also show up.  These additional ports can of course also be deleted.
The following article on TechNet has more info and some longer script versions, including a delete script

Leave a Reply

Your email address will not be published.

five × five =

This site uses Akismet to reduce spam. Learn how your comment data is processed.