Hi all - I've encountered an interesting issue with the behavior of 302 redirects in ISA 2006 and I'm hoping someone can help.

I have a pair of ISA servers in my DMZ, and they reside behind a load balancer.  They are publishing a website that resides in the private VLAN on two webs, also behind a load balancer.

The DMZ load balancer, private network LB and the web servers all listen on 443, but in order to conserve IPs in our DMZ, the ISA servers listen on a custom port(lets say, 4321) on their external interfaces.  In other words the DMZ LB binds 443 to a 4321 on the ISAs, ISA proxies the SSL to the webs via the private LB, all on 443.  

Everything works fine for the most part, except for the 302 redirect.  

Basically what happens is www.fake.com/ABC.asp should redirect to www.fake.com/XYZ.asp(and it does work locally on the server), but when you access the www.fake.com/ABC.asp page via ISA, you get redirected to https://www.fake.com:4321/XYZ.asp... which of course times out because the LB is listening on 443, not 4321.

I've gone over the ISA config several times, but I can't figure out what could be causing this behavior.  

I'm probably overlooking something obvious.  Any help would be greatly appreciated.

Thanks!

• Changed type Quan GuMicrosoft contingent staff, Moderator Tuesday, October 08, 2013 7:39 AM
• Changed type JustTad Tuesday, October 08, 2013 4:29 PM

Hi,

Should redirection happen on the ISA or web publishing side?

Vasily, thanks for the reply.  

The redirect happens on the web publishing side.  I am *assuming* that ISA is inserting the 4321 port number into the redirected URL, because the server should be completely ignorant of that port, right?  

Well I finally got around to opening a Premier support case about this, and I have to say those guys were less than helpful.

In the process I did manage to solve the problem myself, somewhat by accident. 

What I ended up doing is adding a Link Translation from https://www.fake.com to https://www.fake.com (from and to the identical site).  This "somehow" prevented ISA from injecting the port number into the redirect link. 

I'll also note that we have an otherwise-identical configuration running in our test lab with TMG 2010 instead of ISA, and it does not exhibit this behavior (it has the correct behavior with or without the link translation entry).