Microsoft KB Archive/283284

= Blank page or page cannot be displayed when you view SSL sites through ISA Server =

Article ID: 283284

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition

-



This article was previously published under Q283284



SUMMARY
If Microsoft Internet Explorer is configured to reference a server that is running Microsoft Internet Security and Acceleration (ISA) Server as a Web proxy server, when you try to view a Secure Sockets Layer (SSL) Web site on the Internet by using a port other than 443, a blank page may appear with &quot;Page cannot be displayed&quot; in the title bar. Or, you may receive the following error message:

page cannot be displayed

Note Connections to the Microsoft Windows Small Business Server 2003, Premium Edition https://companyweb are also affected because https://companyweb is configured to use port 444 for SSL connections instead of the standard SSL port 443.



MORE INFORMATION
Note The VBScript uses a COM application programming interface that is supported by ISA Server to create the required settings in ISA storage. ISA maintains storage differently based on the ISA version, as follows:
 * ISA Server 2000 Standard Edition, ISA Server 2000 Enterprise Edition (Standalone mode), and ISA Server 2004 Standard Edition: ISA storage is maintained in the registry.
 * ISA Server 2000 Enterprise Edition: ISA Storage is maintained in Active Directory
 * ISA Server 2004 Enterprise Edition: ISA Storage is maintained in Active Directory Application mode (Configuration Storage Server)
 * ISA Server 2006 Enterprise Edition: ISA Storage is maintained in Active Directory Application mode (Configuration Storage Server)

Manually editing ISA storage where COM APIs that are supported by ISA Server exist is not supported.

A separate GUID is listed for each tunnel port.

With Secure Socket Layer (SSL) tunneling, a client can establish a tunnel through ISA Server directly to the Web server by using the requested HTTPS object. Whenever a client browser requests an HTTPS object through ISA Server, it uses SSL tunneling. SSL tunneling works by default for outgoing client requests to ports 443 and 563. You can add SSL tunneling for additional ports by setting the FPCTunnelPortRange object, an ISA Server Admin COM object.

The FPCTunnelPortRange object provides access to the tunnel port range. A tunnel port enables ISA Server to work as a data pump for communication to particular ports on an external server. This process effectively bypasses ISA Server protocol rules and ensures that the external port ranges for which this is possible, are set by default to 443-443 for the single port 443 (SSL), and to 563-563 for the single port 563 (NNTP). You can use the FPCTunnelPortRange object to change the port range in which a tunnel port can be created.

The following Visual Basic Scripting Edition script (VBScript) is an example of how to add ports to the tunnel port range: set isa=CreateObject(&quot;FPC.Root&quot;) set tprange=isa.Arrays.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges set tmp=tprange.AddRange(&quot;SSL 9443&quot;, 9443, 9443) tprange.Save Restart the Microsoft ISA Server Control service after you run the script.

To add a tunnel port range with Microsoft Internet Security and Acceleration (ISA) Server 2004, this VBScript script will add port 10000: Dim root Dim tpRanges Dim newRange Set root = CreateObject(&quot;FPC.Root&quot;) Set tpRanges = root.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges set newRange = tpRanges.AddRange(&quot;SSL 10000&quot;, 10000, 10000) tpRanges.Save Note This script does not produce any output if it succeeds. If you run it again, it will produce an error because the range being set already exists.

When you view a trace from a client behind ISA Server that points to Web Proxy, the following error message may appear:

HTTP/1.1 502 Proxy Error (The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests.)

