I¹ve been swamped with another project, but are you sure you¹ve not created rules requiring client authentication over ssl from the outside? Are you just trying to publish a site over SSL? t On 1/31/07 9:11 AM, "Ball, Dan" <DBall@xxxxxxxxxxx> spoketh to all: > I¹m publishing two separate webservers right now and they are both having the > same problem, and both are reachable from the Intranet with no SSL required. > > > > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On > Behalf Of Roy Tsao > Sent: Wednesday, January 31, 2007 8:59 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > > - You may create another test webserver > > - Use your exising publishing rule to publish that new test site > > I am still wondering the configuration at your web server side. >> >> ----- Original Message ----- >> >> From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> >> >> To: isalist@xxxxxxxxxxxxx >> >> Sent: Wednesday, January 31, 2007 8:57 PM >> >> Subject: [isalist] Re: Publishing in ISA2006 >> >> >> Okay, I worked on it for quite awhile, cleaned up rules and removed defined >> protocols that weren¹t in use anymore, and still get the error? I was able >> to possibly identify the cause of the previous log though, and bring it down >> to three log entries that occur every time I attempt to access the website >> when the redirect to HTTPS is disabled. >> >> Original Client IP Client Agent Authenticated Client >> Service Server Name Referring Server Destination Host Name Transport >> MIME Type Object Source Source Proxy Destination Proxy >> Bidirectional Client Host Name Filter Information Network >> Interface Raw IP Header Raw Payload GMT Log Time Source Port >> Processing Time Bytes Sent Bytes Received Result Code >> HTTP Status Code Cache Information Error Information >> Log Record Type Authentication Server Log Time >> Destination IP Destination Port Protocol Action Rule >> Client IP Client Username Source Network Destination >> Network HTTP Method URL >> 0.0.0.0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR >> 2.0.50727; .NET CLR 3.0.04506; MAPSIE; InfoPath.2; MAPSIE) Yes >> Reverse Proxy GATEWAY www.mapsnet.org TCP >> - - - Req ID: 13fae90a - >> - - 1/31/2007 3:18:58 AM 0 1 2293 >> 392 12241 The page must be viewed over a secure channel >> (Secure Sockets Layer (SSL)). Contact the server administrator. 0x0 >> 0x0 Web Proxy Filter 1/30/2007 10:18:58 PM >> 24.213.58.250 80 http Failed Connection Attempt >> Web Server 75.128.225.6 anonymous External >> GET http://www.mapsnet.org/ >> 75.128.225.6 GATEWAY - >> TCP - >> - 1/31/2007 3:18:58 AM 51603 >> 12000 644 2505 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN >> 0x0 0x0 Firewall - 1/30/2007 10:18:58 PM 24.213.58.250 >> 80 HTTP Closed Connection 75.128.225.6 >> External Local Host - - >> 75.128.225.6 GATEWAY - >> TCP - >> - 1/31/2007 3:18:58 AM 51604 >> 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 >> Firewall - 1/30/2007 10:18:58 PM 24.213.58.250 80 HTTP >> Initiated Connection 75.128.225.6 External >> Local Host - - >> >> >> >> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >> Behalf Of Ball, Dan >> Sent: Tuesday, January 30, 2007 1:20 PM >> To: isalist@xxxxxxxxxxxxx >> Subject: [isalist] Re: Publishing in ISA2006 >> >> No, that¹s the whole point; it¹s not supposed to authenticate incoming >> connections! *grin* >> >> Reviewing the logs further, I¹m starting to get even more confused? The >> ³SERVERNAME² portion refers to my PDC, but the IP associated with it in each >> request changes from my ISA server to the webserver. Initially, I was >> looking at the webserver as a possible culprit, but the more I look at it I¹m >> starting to look at the ISA server instead. >> >> I¹ll test it some more tonight if I can, disabling a couple of suspect rules >> (and SurfControl) as a test to see if they might be the culprit. >> >> >> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >> Behalf Of Steve Moffat >> Sent: Tuesday, January 30, 2007 1:05 PM >> To: ISA Mailing List >> Subject: [isalist] Re: Publishing in ISA2006 >> >> You are authenticating incoming clients?? >> >> Against what? >> >> S >> >> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >> Behalf Of Ball, Dan >> Sent: Tuesday, January 30, 2007 11:15 AM >> To: ISA Mailing List >> Subject: [isalist] Re: Publishing in ISA2006 >> >> Okay, now we¹re getting somewhere? I didn¹t see anything sticking out, so I >> started looking for other events around the same timeframe. I ran across >> several WEBDAV entries that repeated themselves about the same timeframe, AND >> they contained the same text I saw in IE? >> >> >> Original Client IP Client Agent Authenticated Client >> Service Server Name Referring Server Destination Host Name Transport >> MIME Type Object Source Source Proxy Destination Proxy >> Bidirectional Client Host Name Filter Information Network >> Interface Raw IP Header Raw Payload GMT Log Time Source Port >> Processing Time Bytes Sent Bytes Received Result Code >> HTTP Status Code Cache Information Error Information >> Log Record Type Authentication Server Log Time >> Destination IP Destination Port Protocol Action Rule >> Client IP Client Username Source Network Destination >> Network HTTP Method URL >> 0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy >> GATEWAY - SERVERNAME TCP - >> Req ID: 13da6168 1/29/2007 >> 2:33:07 AM 0 1 141 146 12241 The >> page must be viewed over a secure channel (Secure Sockets Layer (SSL)). >> Contact the server administrator. 0x0 0x0 Web Proxy >> Filter - 1/28/2007 9:33:07 PM 24.213.58.250 >> 80 http Failed Connection Attempt Web Server >> 75.128.225.6 anonymous External - OPTIONS >> http://SERVERNAME/ >> 0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy >> GATEWAY - servername TCP - Internet >> Req ID: 13da616a 1/29/2007 >> 2:33:07 AM 0 16 430 146 200 >> 0x40020000 0xc00 Web Proxy Filter - 1/28/2007 >> 9:33:07 PM 10.20.1.4 80 https Allowed Connection >> Web Server 75.128.225.6 anonymous External - >> OPTIONS http://servername/ >> 0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy >> GATEWAY - SERVERNAME TCP - >> Req ID: 13da616c 1/29/2007 >> 2:33:07 AM 0 1 152 168 12241 The >> page must be viewed over a secure channel (Secure Sockets Layer (SSL)). >> Contact the server administrator. 0x0 0x0 Web Proxy >> Filter - 1/28/2007 9:33:07 PM 24.213.58.250 >> 80 http Failed Connection Attempt Web Server >> 75.128.225.6 anonymous External - PROPFIND >> http://SERVERNAME/Hiddenshare$ <http://technology/Technology$> >> >> Looks like there is a request to my PDC every time, and it is being blocked >> because it is an anonymous outbound connection on port 80. That explains why >> I¹m getting the errors, now to figure out why it is doing that. >> >> >> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >> Behalf Of Steve Moffat >> Sent: Tuesday, January 30, 2007 8:09 AM >> To: ISA Mailing List >> Subject: [isalist] Re: Publishing in ISA2006 >> >> What do the ISA logs say?? >> S >> >> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >> Behalf Of Ball, Dan >> Sent: Tuesday, January 30, 2007 9:00 AM >> To: ISA Mailing List >> Subject: [isalist] Re: Publishing in ISA2006 >> >> Webserver is on internal network; no SSL required at the webserver itself >> (Just tested it again to make sure). >> >> >> >> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >> Behalf Of Roy Tsao >> Sent: Tuesday, January 30, 2007 12:40 AM >> To: isalist@xxxxxxxxxxxxx >> Subject: [isalist] Re: Publishing in ISA2006 >> >> >> The website you published is SSL required, so >> >> - when you publish through HTTP connection, access is denied >> >> - when you redirect to HTTPs by ISA, it works. >> >> Then, you may need to check any changing at your published web server but >> >> not ISA. >> >> >> >> >> >> >>> >>> ----- Original Message ----- >>> >>> From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> >>> >>> To: isalist@xxxxxxxxxxxxx >>> >>> Sent: Tuesday, January 30, 2007 1:13 PM >>> >>> Subject: [isalist] Re: Publishing in ISA2006 >>> >>> >>> Here is the scenario: >>> - I remove all publishing rules and web listeners, so I can start over. >>> - I go through the wizard to publish a single webserver. I take all the >>> defaults, saying no SSL is required. >>> - When it gets to the part about a web listener, I create a new one, taking >>> the default settings and specifying no SSL or authentication is required. >>> - The rule is done; I apply the changes, and test it. I get a 403 error. >>> - I edit the listener to redirect traffic to HTTPS, and it works. >>> >>> There must be something simple I missed? >>> >>> >>> >>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Jim Harrison >>> Sent: Monday, January 29, 2007 11:48 PM >>> To: isalist@xxxxxxxxxxxxx >>> Subject: [isalist] Re: Publishing in ISA2006 >>> >>> The rule works with the related listener. >>> You cannot evaluate one without including the other period. >>> The listener; not the rule is what determines if HTTP/HTTPS redirection is >>> possible. >>> If the listener doesn¹t accept HTTP, then it can¹t redirect it to HTTPS. >>> You¹re not trying to publish a stealth service, are you? >>> >>> >>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Ball, Dan >>> Sent: Monday, January 29, 2007 10:51 AM >>> To: isalist@xxxxxxxxxxxxx >>> Subject: [isalist] Re: Publishing in ISA2006 >>> >>> Not Exchange traffic, but the main web server. They both use the same >>> listener, so it makes it difficult to modify one but not the other. Once I >>> got the webserver working, I was planning on taking Tom¹s suggestion that he >>> had awhile back and using a redirect page to redirect OWA calls to an >>> alternate port/listener. >>> >>> In any case, in this particular instance I¹m referring to normal web traffic >>> that I want in plain-text. Correct me if I¹m wrong, but I was under the >>> assumption that if the publishing rule was not working ³non-SSL², then both >>> the ³authenticated traffic² and ³all traffic² options would behave the same >>> way. I.e., they would both return an error if the client wasn¹t capable of >>> the connection. >>> >>> >>> >>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Jim Harrison >>> Sent: Monday, January 29, 2007 11:57 AM >>> To: isalist@xxxxxxxxxxxxx >>> Subject: [isalist] Re: Publishing in ISA2006 >>> >>> You never had ISA 2004 doing the redirects without custom code. >>> It did not have this option. >>> >>> Let¹s get this straight you want to publish plain-text Exchange web >>> traffic?!? >>> Also; ³Redirect authenticated traffic from HTTP to HTTPS² option in the web >>> listener. This works because it redirects all web traffic to HTTPS² is >>> incorrect; that setting only redirects traffic which has already been >>> authenticated probably why only some requests are working. Change it to >>> redirect ³ALL² requests. >>> >>> >>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Ball, Dan >>> Sent: Monday, January 29, 2007 8:04 AM >>> To: isalist@xxxxxxxxxxxxx >>> Subject: [isalist] Re: Publishing in ISA2006 >>> >>> Nope, same server, and ISA_Redirects have never been used on that server. I >>> used to publish the website without requiring SSL, now that is the only way >>> I can get it to work. In fact, I used the ³connections² tab in the listener >>> to force everything over to HTTPS, just to get it working. I just can¹t >>> figure out how to get it publish ³without² SSL, as there seem to be some >>> browsers that have a problem with that method. While I¹d like to tell them >>> to fix their own system and get over it, that won¹t fly with a ³public² >>> website. >>> >>> Where can I start looking for clues on this problem? >>> >>> >>> >>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Jim Harrison >>> Sent: Monday, January 29, 2007 9:29 AM >>> To: isalist@xxxxxxxxxxxxx >>> Subject: [isalist] Re: Publishing in ISA2006 >>> >>> >>> That error response can only be obtained when web publishing. >>> IIS response is quite different. >>> You probably were using the ISA_Redirects tool or something similar and >>> forgot to move it to the new server. >>> The good news is that in ISA 2006, such custom mechanisms aren¹t required. >>> In the listener ³Connections² tab, you can opt to redirect anonymous or >>> authenticated HTTP connections to HTTPS. >>> >>> >>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On >>> Behalf Of Roy Tsao >>> Sent: Monday, January 29, 2007 1:18 AM >>> To: isalist@xxxxxxxxxxxxx >>> Subject: [isalist] Re: Publishing in ISA2006 >>> >>> >>> Original publishing is SSL bridge or tunneling? >>>> >>>> ----- Original Message ----- >>>> >>>> From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> >>>> >>>> To: isalist@xxxxxxxxxxxxx >>>> >>>> Sent: Monday, January 29, 2007 10:40 AM >>>> >>>> Subject: [isalist] Publishing in ISA2006 >>>> >>>> >>>> When I upgraded ISA2004 to ISA2006, my published webserver and Exchange >>>> server no longer worked. >>>> >>>> Browsing to the website gave me this error: >>>> Error Code: 403 Forbidden. The page must be viewed over a secure channel >>>> (Secure Sockets Layer (SSL)). Contact the server administrator. (12241) >>>> >>>> Typing https:// into the URL allowed the traffic to flow. >>>> >>>> The only way I could get it to work was to enable the ³Redirect >>>> authenticated traffic from HTTP to HTTPS² option in the web listener. This >>>> works because it redirects all web traffic to HTTPS. However, it doesn¹t >>>> work for all pages, we have a few pages that have problems, and have had >>>> reports from some people that cannot access the website at all. >>>> >>>> So, I need to get this working properly again. I¹ve deleted all of the >>>> publishing rules and the web listener several times, recreating everything >>>> from scratch; it still gives me the same error. I¹ve followed every >>>> tutorial I could find, it appears that I¹m doing it correctly. There must >>>> be some little detail that I¹m missing with ISA2006. Probably something >>>> obvious, but it is eluding me? >>>> >>>> Anyone have any ideas? >>> All mail to and from this domain is GFI-scanned. >>> All mail to and from this domain is GFI-scanned. >>> All mail to and from this domain is GFI-scanned. >