RE: OWA HTTPS [Enterprise] Default rule Denial
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 19 Jan 2006 13:12:07 -0600
Hi Jerry,
http://www.isaserver.org/tutorials/Redirecting-OWA-Users-Part1.html
And
http://www.isaserver.org/tutorials/Redirecting-OWA-Users-Part2.html
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Thursday, January 19, 2006 1:03 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> Right... I get that but I thought the point of the redirect
> below was to
> be able to have a user redirected to
> https://domain.com/exchange if they
> hit https://domain.com?
>
> Is this behavior also different on ISA Server 2004 EE?
> According to the
> readme file in the archive, it states to put a "custom" error
> page that
> ISA should return to a user that redirects them to the proper URL.
>
> That is, I thought the following procedure would have solved the
> problem.
>
> The error being returned is 12202. So...
>
> Create a 12202.htm file in the ErrorHtmls directory.
> Using either Jscript or Meta Headers, redirect the client to
> the proper
> URL.
> Restart the Firewall Service (since there isn't a Web Proxy service).
>
> Cordially yours,
> Jerry G. Young II
> MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete
> the e-mail
> and its attachments from all computers.
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, January 19, 2006 1:55 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> Until your request matches the data in the rule, you'll
> continue to get
> that error.
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Thursday, January 19, 2006 10:43
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> Ooohkey, then. *8^)
>
> Back to the redirect you provided...
>
> The error being received was a 12202 error. Since there wasn't a
> 12202.htm file in the ErrorHtmls directory, I created a new
> file called
> such, put the redirect in, updated the URL to point to where
> I wanted it
> to go and then restarted the firewall service.
>
> I'm still getting that 12202 error and the web proxy filter
> is throwing
> it. *8^(
>
> Ideas?
>
> Cordially yours,
> Jerry G. Young II
> MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete
> the e-mail
> and its attachments from all computers.
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, January 19, 2006 1:27 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> ISA 2004 doesn't have a web proxy service; it's an
> application filter in
> the firewall service.
> Thus, if you feel the need to cycle the web proxy, you have
> to cycle the
> firewall service.
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Thursday, January 19, 2006 10:21
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> Thanks, Jim.
>
> Silly question, though. How do you restart the Web Proxy service when
> it doesn't display in the Services tab of the Monitoring
> node? I don't
> even see W3Proxy.exe running as a process, although I do see a
> W3Prefch.exe process (that related?).
>
> Cordially yours,
> Jerry G. Young II
> MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete
> the e-mail
> and its attachments from all computers.
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, January 19, 2006 12:44 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> That's my point - you shouldn't allow "/*".
> If you create rules using specific path limitations, don't test them
> using other (empty, IOW) paths unless you're trying to validate ISA
> blocking action (you did).
>
> If you're trying to support folks that forget to use /exchange in the
> URL, take a look at http://isatools.org/isa_redirects.zip
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Thursday, January 19, 2006 09:30
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> By default, when creating the rule using the wizard, the paths are set
> to just the following. I have not changed these.
>
> /exchange/*
> /exchweb/*
> /public/*
>
> Should I add "/"? In the past, when I've attempted to add "/*" ISA
> complains saying that that is the same as the others already
> specified.
>
> Cordially yours,
> Jerry G. Young II
> MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete
> the e-mail
> and its attachments from all computers.
>
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, January 19, 2006 12:23 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> Does you rule include the "/" path?
> My $.02 says "no".
> My $M5 says it shouldn't, either.
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Thursday, January 19, 2006 09:06
> To: [ISAserver.org Discussion List]
> Subject: [isalist] OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
>
> All,
>
> I'm having a problem with getting OWA working through ISA as expected.
>
> If I point the URL for OWA to https://domain.com/exchange
> <https://domain.com/exchange> , a connection is made and the OWA page
> displays. However, if I go to https://domain.com
> <https://domain.com> ,
> I consistently get denied connections due to the [Enterprise] Default
> rule kicking in stating that the ISA server denied that URL. The URL
> field in the logged event shows up as http://domain.com
> <http://domain.com> instead of http://domain.com:443
> <http://domain.com:443> . The same field when going to
> https://domain.com/exchange <https://domain.com/exchange> shows up in
> the logs as http://domain.com:443/exchange
> <http://domain.com:443/exchange> .
>
> Anyone know what's causing this behavior?
>
> Since this is being logged by the Web Proxy Filter, I'm guessing
> something related to that configuration but I'll be damned if I can
> figure it out.
>
> Cordially yours,
>
> Jerry G. Young II
>
> MCSE (4.0/W2K)
>
> Atlanta EES Implementation Team Lead
>
> HHS Engineering
>
> Unisys
>
>
>
> 11493 Sunset Hills Rd.
>
> Reston, VA 20190
>
> Office: 703-579-2727
>
> Cell: 703-625-1468
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete
> the e-mail
> and its attachments from all computers.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gerald.young@xxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gerald.young@xxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gerald.young@xxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gerald.young@xxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
