We are experiencing an issue where we cannot browse SSL IIS 10 websites on Server 2016 using Cisco's Clientless VPN.
We have a Cisco ASA 5510 firewall running firmware 9.1.(7)20 and use ASDM 7.5(2). We have many web servers, but for this issue know we have some Server 2008 R2 6.1 (Build 7601 SP1) with IIS 7.5.7600.16385, Server 2012 R2 Datacenter (6.2 Build 9200) with IIS 8.5.9600.16384, and Server 2016 1607 (Build 14393.1770) with IIS 10.0.14393.0.
When we attempt to use the Clientless VPN through the firewall to access internal resources, we are unable to view SSL protected sites if they are hosted on Server 2016 with IIS 10. We are able to view both http and https sites through the VPN from Server 2008/IIS 7 and Server 2012/IIS 8, and are able to view http sites through the VPN from Server 2016/IIS 10. If we attempt to access an https site hosted on Server 2016/IIS 10 through the clientless VPN, we get a "URL unavailable" message from the firewall. We have confirmed this on 3 servers.
We get the same result if the site is secured with either a domain certificate OR a godaddy wildcard certificate. Both types of certificates work for secure resources on Server 2008/Server 2012.
We performed a wireshark capture between a working 2012 web server and the firewall, as well as a non-working 2016 web server and the firewall. The traffic followed a similar pattern, however on the 2016 Server after the certificate exchange there are no more acknowledgments from the server. At the recommendation of some articles we read, we enabled all ciphers on the firewall hoping to circumvent any incompatibility with encryption protocols, but this resulted in identical behavior. The certificate exchange and ciphers packet capture are identical in both the 2012 and 2016 servers. However after the certificate exchange it looks like the firewall and the server are not encrypting/decrypting traffic correctly.
We're stuck...we're pretty sure the issue is a new configuration in IIS related to SSL, but we've searched the web and crawled through settings and found nothing. If anyone has made the Clientless VPN work with secure IIS 10 sites, or if anyone has any idea of a configuration in IIS 10 that could help us, we'd be extremely appreciative.
No comments:
Post a Comment