Users Cannot Access Secure Sockets Layer Web Sites Defined by Destination Sets

When you configure a rule in Internet Security and Acceleration (ISA) Server 2000 to control outbound traffic (for example, a site and content rule or a routing rule), a user who tries to access a Web site is denied access by ISA Server.

Note Depending on your configuration, the user may receive the following error message while trying to log on to the Web site:

This issue may occur if both of the following conditions are true:

• The user tries to access a Web site or a portion of a Web site that uses Secure Sockets Layer (SSL) technology.
  
  -and-
• The destination set for that Web site specifies a path -- for example, /*.

To work around this issue, remove the path from the destination set.

The way that ISA Server 2000 processes site and content rules depends on the type of client that requests the object and what type of content it requests. In particular, ISA Server may ignore any path specified in the destination set for particular clients or protocols used. The following table details whether ISA Server processes the path specified for the computers in the destination set.

This is true only when the HTTP is enabled and configured to redirect to the local Web Proxy service.

When ISA Server processes a request where path processing is not supported (for example, any non-HTTP request), ISA Server ignores all destinations where a path is specified. This does not mean that ISA Server ignores the rule that references the destination. For example, if you have a rule that denies access to two destinations -- //example.domain.com/example and widgets.domain.com -- a request to access Network News Transfer Protocol (NNTP) content from example.domain.com is not denied. A request to access NNTP content from widgets.microsoft.com is denied.

For Secure Hypertext Transfer Protocol (HTTPS) requests, if a rule denies requests to a destination that specifies a path, ISA Server denies all content on the computer, not just content on the specific path. For example, if a rule is configured to deny HTTPS access to example.domain.com/example, ISA Server denies access to all content at example.domain.com.

Note This behavior is not limited to site and content rules, but also applies to routing rules. All rules that evaluate outbound traffic and that use destination sets are subject to this behavior.

For information about how to obtain ISA Server Feature Pack 1, visit the following Microsoft Web site:For information about how to obtain ISA Server 2000 Service Pack 1 (SP1), visit the following Web site: