Local Host workaround and KB941634

Last updated Wed May 21, 2008 01:08:24 PM
ClearTunnel version 1.2 and later requires an extra "Local Host" rule if the ISA Server 2006 version is less than 5.0.5721.250.

Overview

This article describes the Local Host issue, the workaround, and how to update ISA to a newer revision that fixes the issue.

ISA server 2006 (where the component version is less than 5.0.5721.250) has an issue that affects the operation of ClearTunnel. This problem is detailed in the following Microsoft Knowledge Base article:

http://support.microsoft.com/kb/941634/

The effect of this bug is that the Web Proxy cannot process ClearTunnel's decrypted traffic. In order to make ClearTunnel 1.2 and later work in this situation, you can either use a workaround or update ISA Server 2006 to a version that contains the fix for this problem.

Workaround

To allow ClearTunnel to work without changing the ISA software revision, it attempts to forward decrypted connections back through the Web Proxy listening port. However this means that the Web Proxy must be configured to allow traffic from Local Host, since that is where it will perceive all the ClearTunnel decrypted traffic to originate. To use the Local Host workaround, you should perform the following steps:

  1. Create a new Access Rule (you may name it 'ClearTunnel Local Host' or choose another name)
  2. Make it an Allow rule
  3. Select the HTTP and HTTPS protocols
  4. The source should contain the "Local Host" network
  5. The destination should contain the "External" network
  6. The rule should be applied to "All Users"
  7. Make sure to move the new rule higher in the list than your other web rules, otherwise ISA may try to require authentication at this step (which is not desired).

Caveat: If you use this workaround, all HTTP/HTTPS connections originating from the ISA server will be allowed. This may not be desirable as it is a less secure configuration than blocking web access from the firewall.

Update

To resolve this problem without the need to forward traffic through the Local Host network, you can update your ISA 2006 software to a newer revision.

Note: All Microsoft hot fixes for ISA 2006 after a given date will include all previous fixes within them. Therefore if your ISA software is already updated to a revision greater than 5.0.5721.250 you should not need to follow these steps.

  1. According to Microsoft, before installing the hotfix for this issue, you must first install the ISA 2006 Supportability update, KB939455.
  2. After installing the above update, you must request the hotfix for KB942639. You can request hotfixes online here. You can also obtain the hotfix from Collective support by opening a support request.
  3. Install the hotfix for this issue.
  4. If you previously were using the workaround noted above, you can now remove the extra "Local Host" rule you added. ClearTunnel should now successfully work without the workaround in place.

Getting Help

If you have questions about this issue or other ClearTunnel configuration questions, please open a support request for further assistance.

Related Articles

Using "Content Types" tab
If you wish to use the "Content Types" tab for HTTPS traffic, you need to add these configuration items to avoid issues.
Last updated Thu Jan 3, 2008 10:58:51 AM

Related Topics

ClearTunnel
Articles pertaining to the ClearTunnel product