The FPCTunnelPortRange object defines a tunnel port range. A tunnel port range specifies one or more ports on which the ISA Server Web proxy can forward an HTTP CONNECT request from a Web proxy client to a Web server. After a connection is established, packets sent from the client to the Web server on the port specified in the CONNECT request pass directly to the Web server without deep inspection by the Web proxy.
Ports that are included in tunnel port ranges are useful for passing packets with an encrypted payload, particularly Secure Sockets Layer (SSL) packets, through the Web proxy after a connection is established between a client on a protected network and an external Web server. When SSL-encrypted traffic is sent, ISA Server can inspect only the IP and TCP headers. The ISA Server computer cannot perform application-layer inspection of the encrypted contents in the SSL tunnel between the client and Web server.
When a client specifies the HTTPS protocol (HTTP over SSL) in a URL in a CERN-compliant Web browser configured to send requests to port 8080 (the default port number) on an ISA Server computer, the Web browser sends the following HTTP CONNECT request:
CONNECT host_name:443 HTTP/1.1
The number 443 is the default TCP port for SSL, but any port specified in the URL will be used.
By default, the ISA Server computer listens for outbound requests from clients in the Internal network on port 8080. When the CONNECT request reaches the ISA Server computer on the listening port, the Microsoft Firewall service checks the rules to determine whether a request may be sent from the source to the destination using the HTTP protocol. If the request passes the rules check, the Firewall service forwards the request to the ISA Server Web proxy, and the Web proxy determines whether the port specified in the CONNECT request is included in a tunnel port range. If the port number passes this test, the Web proxy allows the request to be sent to the TCP port specified on the destination host to open a connection. When this operation succeeds, the ISA Server computer informs the client that the connection has been established. From that point on, the client sends encrypted packets directly to the destination on the port specified in the CONNECT request without any mediation by the Web proxy.
An encrypted SSL tunnel is created only when the ISA Server computer connects to an SSL server using a port that is defined as a tunnel port by including it in a tunnel port range. When a Web proxy client tries to connect to an SSL server that is configured for a port that is not included in a tunnel port range, the connection attempt fails.
By default, the external port ranges that are defined as tunnel port ranges are confined to 443–443 (the single port 443) for HTTP over SSL and 563–563 (the single port 563) for the Network News Transfer Protocol over SSL (NNTPS). You can use the properties of the FPCTunnelPortRange object to change the range of tunnel ports defined by the object, and you can use the AddRange method to create an additional tunnel port range. However, because traffic sent to ports included in a tunnel port range bypasses the ISA Server policy rules and Web proxy inspection, only tunnel port ranges for which this is required should be added.
This object is created as an element of an FPCTunnelPortRanges collection.
Click here to see the ISA Server object hierarchy.
The FPCTunnelPortRange object defines the following methods.
|Refresh||Reads the values of all of the object's properties from persistent storage, discarding any changes that have not been saved.|
|Save||Writes the current values of all of the object's properties to persistent storage.|
The FPCTunnelPortRange object has the following properties.
|Name||Gets or sets the name of the tunnel port range.|
|TunnelHighPort||Gets or sets the high end of the tunnel port range.|
|TunnelLowPort||Gets or sets the low end of the tunnel port range.|
This object implements the IFPCTunnelPortRange interface.
The following VBScript code shows how to create a new tunnel port range consisting of a single port.
' Define the constants needed. Const NewRangeName = "SSL 3520" Const NewRangePort = "3520" ' Create the root object. Dim root ' The FPCLib.FPC root object Set root = CreateObject("FPC.Root") 'Declare the other objects needed. Dim isaArray ' An ISA Server array object Dim tpRanges ' An FPCTunnelPortRanges collection Dim newRange ' An FPCTunnelPortRange object ' Get a reference to the array and to ' the collection of tunnel port ranges. Set isaArray = root.GetContainingArray() Set tpRanges = isaArray.ArrayPolicy.WebProxy.TunnelPortRanges ' Create a new tunnel port range. Set newRange = tpRanges.AddRange(NewRangeName, NewRangePort, NewRangePort) ' Save the changes to the collection of tunnel port ranges ' with fResetRequiredServices set to True to restart the Firewall service. tpRanges.Save True
|Client||Requires Windows XP.|
|Server||Requires Windows Server 2003. Requires Windows Server 2003 or Windows 2000 for ISA Server 2004 Standard Edition.|
|Version||Requires Internet Security and Acceleration (ISA) Server 2006 or ISA Server 2004.|
Declared in Msfpccom.idl.