Find the Blocking Intermediate Device
If you can connect to the server, follow these steps to confirm that an intermediate device is blocking the SSL traffic:
1. On the Web server, open a command prompt and use the Microsoft TCP/IP Tracert utility to connect to a known Web server on the Internet that has an SSL certificate installed (such as www.microsoft.com). This shows all of the "hops" between the Web server and the destination server.
The -d switch tells Tracert not to map IP addresses to host names.
tracert www.microsoft.com -d
Code:
1 20 ms 10 ms 10 ms 24.25.66.1
2 <10 ms 10 ms 10 ms 24.93.65.149
3 <10 ms 10 ms <10 ms 24.93.66.145
4 <10 ms 10 ms 10 ms 24.93.66.178
5 20 ms 20 ms 20 ms 64.240.245.81
6 20 ms 20 ms 20 ms 208.30.202.5
7 20 ms 20 ms 20 ms 144.232.8.229
8 40 ms 30 ms 30 ms 144.232.18.33
9 40 ms 30 ms 40 ms 144.232.26.1
10 40 ms 30 ms 30 ms 144.232.26.6
11 80 ms 71 ms 70 ms 144.232.18.49
12 70 ms 70 ms 70 ms 144.232.6.89
2. When you have obtained this information, use the Microsoft TCP/IP Telnet utility to determine which router is blocking the SSL traffic. First, try to telnet to port 443 on the first hop that is reported from the Tracert output.
For example, telnet to each hop that is listed in the Tracert output:
Code:
telnet 24.93.65.149 443
When a connection is made to a listening SSL port, the telnet session shows a blank flashing cursor, as if the server is waiting for input. After several seconds, or if you press any keys, the telnet client displays the following:
Code:
Connection to host lost.
A connection to a server that is not listening on SSL immediately returns the following message:
Code:
Could not open a connection to host on port 443 : Connect failed
3. Continue this process for each item on the Tracert list until you have determined the first intermediate device that is blocking SSL connections. After you find that device, work with the administrator of that device to correct this issue, and then try to connect to the site from the Internet.
Bookmarks