31 March 2011

TMG : Allow SSL request on an additional port

"12204 The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests."

This is the log error you will see on TMG when attempting to connect to a site on a nonstandard SSL port.  In my example the port is 10443 but of course if you are not using 443 it might as well be anything.

This is because be default TMG will only allow HTTPS connections on 443.  This is know as the Tunnel Port Ranges or TPranges.  To add your non standard port number or a range, you will need to run some scripts.  You only need to run this on one of the array member since this is an array setting.

The Add TP Range Script
Create a text file and copy the following into it.  Save the file as AddPort.vbs

Dim root 
Dim tpRanges 
Dim newRange 
Set root = CreateObject("FPC.Root")
Set tpRanges = root.GetContainingArray.ArrayPolicy.WebProxy.TunnelPortRanges
set newRange = tpRanges.AddRange("SSL 10443", 10443, 10443)

NOTE:  ("The name"  , The start port number, the end port number)

From a command prompt run the script with "cscript AddTPPort.vbs" There is no feedback form this script to let you know it succeeded. You will now have to restart the firewall service on each of the TMG nodes in that array.

To verify that the port has been added you can attempt to connect a remote site on that port number.   You can also run a script to show the current TPRanges

The List TP Ranges Script
Create and execute the script the same as the script above.

Dim root
Set root = CreateObject("FPC.Root")
Dim isaArray
Dim tpRanges
Dim tpRange 
Set isaArray = root.GetContainingArray()
Set tpRanges = isaArray.ArrayPolicy.WebProxy.TunnelPortRanges
For Each tpRange In tpRanges
WScript.Echo tpRange.Name & ": " & tpRange.TunnelLowPort & "-" & tpRange.TunnelHighPort

The result from this script should now be:

C:\Users\aa\Desktop>cscript listportss.vbs
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

NNTP: 563-563
SSL: 443-443
SSL 10443: 10443-10443

The ports specified in the addtpport.vbs script should now also show up.  These additional ports can of course also be deleted.

The following article on TechNet has more info and some longer script versions, including a delete script


Anonymous said...

Worked perfectly!

Junaid Ahmed said...

Thanks Dude That works Perfectly fine :) Cheers

Anonymous said...

Worked Great. Thanks.

Liam Quinn said...

Fantastic, sorted me out wondefully, once I'd remembered to restart the firewall service that is....

Anonymous said...

Muchas gracias!

Rustum said...

Thanks a lot... works perfect!

Anonymous said...

Worked! Greatings from portugal!

lucky nicolaidis said...

this article works like a charm. I needed to get to a site that uses port 8443. My TMG did not allow me to get to the site as the port was blocked. I followed above article and now I can access relevant site through prescribed port 8443

Anonymous said...

Thank you.

Anonymous said...

Thanks , works 100%

Post a Comment