You May Not Be Able to Connect to SSL Published Web Sites with SGC Certificates Through ISA Server (307209)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q307209

SYMPTOMS

If you publish secure Web sites behind Internet Security and Acceleration (ISA) Server 2000 by using Secure Sockets Layer (SSL), certain Web browser clients may not be able to connect. The connection problem occurs in the SSL handshake process when the browser tries to establish an SSL connection with the ISA Server-based computer that publishes the internal Web server. These symptoms may occur whether the traffic between the ISA Server-based computer and the internal published Web server uses HTTP or HTTPS, because it is the SSL connection between the browser and the ISA Server-based computer that does not work.

The symptoms that occur in the browser may vary, but typically the browser seems to stop responding (hang), or you may receive an error message. This problem is most likely to occur with certain Netscape 40-bit or 56-bit browser versions that connect to an SSL Web site that is published in ISA Server by using a Server Gated Cryptography (SGC) certificate. In this particular case, you receive the following error message in the Netscape browser:
A network error occurred while Netscape was receiving data. (Network Error: I/O error). Try connecting again.

CAUSE

When an SGC-aware 40-bit or 56-bit Netscape client receives the SGC certificate from ISA Server, it examines the certificate and establishes that it is an SGC certificate. Therefore, the browser tries to step up to 128-bit security. This SSL renegotiation process may not work if a strong cipher renegotiate occurs immediately after the first successful SSL handshake.

This problem is not likely to occur with Microsoft Internet Explorer because the step-up process is performed differently than it is in Netscape browsers.

RESOLUTION

To resolve this problem, obtain the latest service pack for ISA Server 2000. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was corrected in Internet Security and Acceleration Server Service Pack 1.

MORE INFORMATION

To determine whether you are using an SGC certificate in ISA Server, view the following Microsoft Knowledge Base article:

290388 How to Identify If a VeriSign SGC Is Being Used on a Web Site

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Modification Type:MajorLast Reviewed:2/20/2002
Keywords:kbbug kbISAServ2000sp1fix KB307209
©2002 Microsoft Corporation. All rights reserved.