Microsoft KB Archive/184028

= Error Message: 12204 SSL Port Specified Is Not Allowed =

Article ID: 184028

Article Last Modified on 4/24/2003

-

APPLIES TO


 * Microsoft Proxy Server 1.0 Standard Edition
 * Microsoft Proxy Server 2.0 Standard Edition

-



This article was previously published under Q184028



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
By default, the Web Proxy service on Microsoft Proxy Server versions 1.0 and 2.0 makes HTTPS connection requests on port 443 only. Connection requests for Web sites that contain a port number in the URL for ports other than port 443 will fail and produce the following error:

12204 SSL port specified is not allowed



CAUSE
For security reasons, only port 443 (HTTPS) and port 563 (SNEWS) are allowed to pass through the Web Proxy service by default.

Additional ports can be added to the registry; however, this is not recommended. Internet Web sites should always use port 443 for SSL (HTTPS) communications. Allowing additional ports through your Proxy Server may pose a security risk.

The following is an excerpt from Internet Draft: Tunneling SSL Through a WWW Proxy located at http://cgi.netscape.com/newsref/std/tunneling_ssl.html:

Security Considerations

CONNECT is really a lower-level function than the rest of the HTTP methods, kind of an escape mechanism for saying that the proxy should not interfere with the transaction, but merely forward the data. This is because the proxy should not need to know the entire URI that is being accessed (privacy, security), only the information that it explicitly needs (hostname and port number). Due to this fact, the proxy cannot verify that the protocol being spoken is really SSL, and so the proxy configuration should explicitly limit allowed connections to well-known SSL ports (such as 443 for HTTPS, 563 for SNEWS, as assigned by the Internet Assigned Numbers Authority).



WORKAROUND
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To open additional ports for tunneling SSL on a computer running Microsoft Proxy Server, modify the following registry key using Regedt32.exe: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters

Value Name: SSLPortListMembers Edit the SSLPortListMembers value, you will see a dialog box containing the following default port information:   443 443  563   563 Simply append the desired new port in duplicate form here. For example, to add port 444:   443 443  563   563   444   444

Additional query words: ssl tunneling tunnel port fail kbecu

Keywords: kbprb KB184028

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.