The FPCTunnelPortRanges collection holds a set of FPCTunnelPortRange objects. Each FPCTunnelPortRange object represents a single range of tunnel ports. A tunnel port range specifies one or more ports on which the ISA Server Web proxy can forward an HTTP CONNECT request from a Web proxy client to a Web server. After a connection is established, packets sent from the client to the Web server on the port specified in the CONNECT request pass directly to the Web server without deep inspection by the Web proxy.
Ports that are included in tunnel port ranges are useful for passing packets with an encrypted payload, particularly Secure Sockets Layer (SSL) packets, through the Web proxy after a connection is established between a client on a protected network and an external Web server. When SSL-encrypted traffic is sent, ISA Server can inspect only the IP and TCP headers. The ISA Server computer cannot perform application-layer inspection of the encrypted contents in the SSL tunnel between the client and Web server.
When a client specifies the HTTPS protocol (HTTP over SSL) in a URL in a CERN-compliant Web browser configured to send requests to port 8080 (the default port number) on an ISA Server computer, the Web browser sends the following HTTP CONNECT request:
CONNECT host_name:443 HTTP/1.1
The number 443 is the default TCP port for SSL, but any port specified in the URL will be used.
By default, the ISA Server computer listens for outbound requests from clients in the Internal network on port 8080. When the CONNECT request reaches the ISA Server computer on the listening port, the Microsoft Firewall service checks the rules to determine whether a request may be sent from the source to the destination using the HTTP protocol. If the request passes the rules check, the Firewall service forwards the request to the ISA Server Web proxy, and the Web proxy determines whether the port specified in the CONNECT request is included in a tunnel port range. If the port number passes this test, the Web proxy allows the request to be sent to the TCP port specified on the destination host to open a connection. When this operation succeeds, the ISA Server computer informs the client that the connection has been established. From that point on, the client sends encrypted packets directly to the destination on the port specified in the CONNECT request without any mediation by the Web proxy.
By default, the external port ranges that are defined as tunnel port ranges are confined to 443–443 (the single port 443) for HTTP over SSL and 563–563 (the single port 563) for the Network News Transfer Protocol over SSL (NNTPS). You can use the AddRange method to create an additional tunnel port range. However, because traffic sent to ports included in a tunnel port range bypasses the ISA Server policy rules and Web proxy inspection, only tunnel port ranges for which this is required should be added.
Click here to see the ISA Server object hierarchy.
The FPCTunnelPortRanges collection defines the following methods.
|AddRange||Creates a new FPCTunnelPortRange object in the collection and returns a reference to it.|
|Item||Retrieves the requested FPCTunnelPortRange object from the collection.|
|Refresh||Reads the values of all the properties of the collection and its elements from persistent storage, discarding any changes that have not been saved.|
|Remove||Removes the specified FPCTunnelPortRange object from the collection.|
|Save||Writes the current values of all the properties of the collection and its elements to persistent storage.|
The FPCTunnelPortRanges collection has the following properties.
|_NewEnum||Gets an enumerator object for the collection.|
|Count||Gets the number of FPCTunnelPortRange objects in the collection.|
This collection implements the IFPCTunnelPortRanges interface.
|Client||Requires Windows XP.|
|Server||Requires Windows Server 2003. Requires Windows Server 2003 or Windows 2000 for ISA Server 2004 Standard Edition.|
|Version||Requires Internet Security and Acceleration (ISA) Server 2006 or ISA Server 2004.|
Declared in Msfpccom.idl.