This is a new installation, we have six web servers on the dmz. Two of the web servers run https. These are the two web servers that you can not access thru 443 from inside or outside. I just upgraded the OS from 6.3.1 to 6.3.4 along with the pdm 3.01 to 3.02. One server is MS Exchange OWA, the other a ssl java website page.

So was it working with 6.3.1?

Can you share the config (hide the IP addresses).

Any syslog messages? What is the server in question IP

Thanks

It did not work with 6.3.1, but I wonder if adding 443 to the fixup protocol will work. please respond.

I doubt it will work with adding fixup 443,

you need to collect syslog messages now.

I discovered the two web servers also have two nic cards, one connected to the dmz and the other to the lan network. I think this might be the problem please respond.

Sounds like you're confusing your servers. Each nic on the servers is configured for a different network (dmz/inside). Try removing the servers from the LAN and add the corresponding statements in your PIX to talk to the servers through the DMZ.

I personally do not consider this a good security practice to connect a device in DMZ directly to the internal LAN. The justification being if your DMZ server is compromised your internal devices are at a higher risk of being compromised. If the second NIC on the DMZ servers connects to some other LAN (such as a dedicated backup LAN) then my concerns do not apply to your situation and ignore them.

To answer your actual question, when you have multiple NICs installed in a MS Windows machine the TCP/IP stack only uses one default gateway to communicate with the outside world. There is not hard and fast rule as to which gateway will be used. Do you have multiple default gateways configured?: If yes then i will recommend removing the default gateway on the NIC connected to the internal LAN thereby forcing all traffic from unknown destinations to flow through the PIX. Only communication to internal LAN hosts will flow through the secondary NIC.