[isalist] Re: Publishing in ISA2006

  • From: "Steve Moffat" <steve@xxxxxxxxxx>
  • To: "ISA Mailing List" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 30 Jan 2007 14:04:48 -0400

You are authenticating incoming clients??

 

Against what?

 

S

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 11:15 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006

 

Okay, now we're getting somewhere...  I didn't see anything sticking
out, so I started looking for other events around the same timeframe.  I
ran across several WEBDAV entries that repeated themselves about the
same timeframe, AND they contained the same text I saw in IE...

 

 

Original Client IP            Client Agent      Authenticated Client
Service  Server Name      Referring Server Destination Host Name
Transport           MIME Type        Object Source   Source Proxy
Destination Proxy          Bidirectional      Client Host Name    Filter
Information            Network Interface           Raw IP Header   Raw
Payload     GMT Log Time   Source Port            Processing Time
Bytes Sent        Bytes Received  Result Code      HTTP Status Code
Cache Information            Error Information            Log Record
Type            Authentication Server     Log Time           Destination
IP    Destination Port      Protocol            Action   Rule
Client IP            Client Username            Source Network
Destination Network            HTTP Method    URL

0.0.0.0  Microsoft-WebDAV-MiniRedir/6.0.6000                Reverse
Proxy   GATEWAY        -           SERVERNAME TCP      -
Req ID: 13da6168                                              1/29/2007
2:33:07 AM    0            1          141       146
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator.             0x0
0x0       Web Proxy Filter            -           1/28/2007 9:33:07 PM
24.213.58.250    80         http       Failed Connection Attempt
Web Server       75.128.225.6     anonymous            External
-           OPTIONS          http://SERVERNAME/

0.0.0.0  Microsoft-WebDAV-MiniRedir/6.0.6000                Reverse
Proxy   GATEWAY        -           servername        TCP      -
Internet                                                 Req ID:
13da616a                                              1/29/2007 2:33:07
AM    0            16         430       146                   200
0x40020000       0xc00   Web Proxy Filter            -
1/28/2007 9:33:07 PM       10.20.1.4           80         https
Allowed Connection        Web Server       75.128.225.6     anonymous
External            -           OPTIONS          http://servername/

0.0.0.0  Microsoft-WebDAV-MiniRedir/6.0.6000                Reverse
Proxy   GATEWAY        -           SERVERNAME TCP      -
Req ID: 13da616c                                              1/29/2007
2:33:07 AM    0            1          152       168
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator.             0x0
0x0       Web Proxy Filter            -           1/28/2007 9:33:07 PM
24.213.58.250    80         http       Failed Connection Attempt
Web Server       75.128.225.6     anonymous            External
-           PROPFIND        http://SERVERNAME/Hiddenshare$
<http://technology/Technology$> 

 

Looks like there is a request to my PDC every time, and it is being
blocked because it is an anonymous outbound connection on port 80.  That
explains why I'm getting the errors, now to figure out why it is doing
that.

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 8:09 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006

 

What do the ISA logs say??

S

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 9:00 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006

 

Webserver is on internal network; no SSL required at the webserver
itself (Just tested it again to make sure).

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Roy Tsao
Sent: Tuesday, January 30, 2007 12:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

The website you published is SSL required, so

- when you publish through HTTP connection, access is denied

- when you redirect to HTTPs by ISA, it works.

Then, you may need to check any changing at your published web server
but

not ISA.

 

 

 

        ----- Original Message ----- 

        From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>  

        To: isalist@xxxxxxxxxxxxx 

        Sent: Tuesday, January 30, 2007 1:13 PM

        Subject: [isalist] Re: Publishing in ISA2006

         

        Here is the scenario:

        - I remove all publishing rules and web listeners, so I can
start over.

        - I go through the wizard to publish a single webserver.  I take
all the defaults, saying no SSL is required.

        - When it gets to the part about a web listener, I create a new
one, taking the default settings and specifying no SSL or authentication
is required.

        - The rule is done; I apply the changes, and test it.  I get a
403 error.

        - I edit the listener to redirect traffic to HTTPS, and it
works.

         

        There must be something simple I missed...

         

________________________________

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Monday, January 29, 2007 11:48 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        The rule works with the related listener.

        You cannot evaluate one without including the other - period.

        The listener; not the rule is what determines if HTTP/HTTPS
redirection is possible.

        If the listener doesn't accept HTTP, then it can't redirect it
to HTTPS.

        You're not trying to publish a stealth service, are you?

         

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
        Sent: Monday, January 29, 2007 10:51 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        Not Exchange traffic, but the main web server.  They both use
the same listener, so it makes it difficult to modify one but not the
other.  Once I got the webserver working, I was planning on taking Tom's
suggestion that he had awhile back and using a redirect page to redirect
OWA calls to an alternate port/listener.

         

        In any case, in this particular instance I'm referring to normal
web traffic that I want in plain-text.  Correct me if I'm wrong, but I
was under the assumption that if the publishing rule was not working
"non-SSL", then both the "authenticated traffic" and "all traffic"
options would behave the same way.  I.e., they would both return an
error if the client wasn't capable of the connection.  

         

________________________________

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Monday, January 29, 2007 11:57 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        You never had ISA 2004 doing the redirects without custom code.

        It did not have this option.

         

        Let's get this straight - you want to publish plain-text
Exchange web traffic?!?

        Also; "Redirect authenticated traffic from HTTP to HTTPS" option
in the web listener.  This works because it redirects all web traffic to
HTTPS" is incorrect; that setting only redirects traffic which has
already been authenticated - probably why only some requests are
working.  Change it to redirect "ALL" requests.

         

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
        Sent: Monday, January 29, 2007 8:04 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        Nope, same server, and ISA_Redirects have never been used on
that server.  I used to publish the website without requiring SSL, now
that is the only way I can get it to work.  In fact, I used the
"connections" tab in the listener to force everything over to HTTPS,
just to get it working.  I just can't figure out how to get it publish
"without" SSL, as there seem to be some browsers that have a problem
with that method.  While I'd like to tell them to fix their own system
and get over it, that won't fly with a "public" website.  

         

        Where can I start looking for clues on this problem?

         

________________________________

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Monday, January 29, 2007 9:29 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        That error response can only be obtained when web publishing.

        IIS response is quite different.

        You probably were using the ISA_Redirects tool or something
similar and forgot to move it to the new server.

        The good news is that in ISA 2006, such custom mechanisms aren't
required.

        In the listener "Connections" tab, you can opt to redirect
anonymous or authenticated HTTP connections to HTTPS.

         

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
        Sent: Monday, January 29, 2007 1:18 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        Original publishing is SSL bridge or tunneling?

                ----- Original Message ----- 

                From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>  

                To: isalist@xxxxxxxxxxxxx 

                Sent: Monday, January 29, 2007 10:40 AM

                Subject: [isalist] Publishing in ISA2006

                 

                When I upgraded ISA2004 to ISA2006, my published
webserver and Exchange server no longer worked.  

                 

                Browsing to the website gave me this error:

                Error Code: 403 Forbidden. The page must be viewed over
a secure channel (Secure Sockets Layer (SSL)). Contact the server
administrator. (12241)

                 

                Typing https:// into the URL allowed the traffic to
flow.

                 

                The only way I could get it to work was to enable the
"Redirect authenticated traffic from HTTP to HTTPS" option in the web
listener.  This works because it redirects all web traffic to HTTPS.
However, it doesn't work for all pages, we have a few pages that have
problems, and have had reports from some people that cannot access the
website at all.

                 

                So, I need to get this working properly again.  I've
deleted all of the publishing rules and the web listener several times,
recreating everything from scratch; it still gives me the same error.
I've followed every tutorial I could find, it appears that I'm doing it
correctly.  There must be some little detail that I'm missing with
ISA2006.  Probably something obvious, but it is eluding me...

                 

                Anyone have any ideas?

        All mail to and from this domain is GFI-scanned.

        All mail to and from this domain is GFI-scanned.

        All mail to and from this domain is GFI-scanned.

Other related posts: