[isalist] Re: Publishing in ISA2006
- From: "Roy Tsao" <caohuiming@xxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Feb 2007 10:32:46 +0800
"notify HTTP users to use HTTPS instead" is checked or not in your publishing
rule?
----- Original Message -----
From: Steve Moffat
To: ISA Mailing List
Sent: Thursday, February 01, 2007 10:12 AM
Subject: [isalist] Re: Publishing in ISA2006
This is a vanilla install of ISA? No 3rd party addons? Surfcontrol I seem to
remember is your fav.J
Uninstall Surfcontrol, delete your rules and listeners and start from scratch
just by publishing the standard website.
and see if it works.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Wednesday, January 31, 2007 10:01 PM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
You are correct, that is not what I want. But, whenever I disable the
redirect users get a 403 forbidden error.
I'd be happy to disable all SSL on the listener, but for some reason it won't
work without it.
------------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, January 31, 2007 6:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
You can't have it both ways - either you want SSL publishing or you don't.
If you configure the rule to "redirect HTTP to HTTPS", then you force the
users to connect using HTTPS, which you say you don't want.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Wednesday, January 31, 2007 11:39 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Please excuse my poor description; it is a difficult problem to describe.
To summarize, I do NOT want to redirect ANY traffic on this rule to HTTPS,
but have "had" to do that because it won't work without it. I wasn't ignoring
your clues; they were just describing what I already had done as a "patch" to
get it working.
------------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, January 31, 2007 12:41 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Clues have been provided and ignored.
If you want ISA to redirect HTTP to HTTPS, then you have three choices:
1. Configure this at the listener - of course, you have to allow HTTP at
the listener for this to work and this only works for ISA 2006
2. Create a "deny" rule that uses a redirect URL for any HTTP
connections - of course, this means you have to allow HTTP at the related
listener
3. Use a custom "redirector" such as ISA_Redirects.zip or other
If all you do is configure the publishing rule to "notify HTTP users to use
HTTPS instead", you get the behavior you've been describing all along and is
indicated in the logs.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Wednesday, January 31, 2007 9:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
I'm publishing two separate webservers right now and they are both having the
same problem, and both are reachable from the Intranet with no SSL required.
------------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Roy Tsao
Sent: Wednesday, January 31, 2007 8:59 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
- You may create another test webserver
- Use your exising publishing rule to publish that new test site
I am still wondering the configuration at your web server side.
----- Original Message -----
From: Ball, Dan
To: isalist@xxxxxxxxxxxxx
Sent: Wednesday, January 31, 2007 8:57 PM
Subject: [isalist] Re: Publishing in ISA2006
Okay, I worked on it for quite awhile, cleaned up rules and removed defined
protocols that weren't in use anymore, and still get the error. I was able to
possibly identify the cause of the previous log though, and bring it down to
three log entries that occur every time I attempt to access the website when
the redirect to HTTPS is disabled.
Original Client IP Client Agent Authenticated Client
Service Server Name Referring Server Destination Host Name Transport
MIME Type Object Source Source Proxy Destination Proxy
Bidirectional Client Host Name Filter Information
Network Interface Raw IP Header Raw Payload GMT Log Time
Source Port Processing Time Bytes Sent Bytes
Received Result Code HTTP Status Code Cache Information
Error Information Log Record Type Authentication Server
Log Time Destination IP Destination Port Protocol
Action Rule Client IP Client Username Source
Network Destination Network HTTP Method URL
0.0.0.0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR
2.0.50727; .NET CLR 3.0.04506; MAPSIE; InfoPath.2; MAPSIE) Yes
Reverse Proxy GATEWAY www.mapsnet.org TCP
- - - Req ID:
13fae90a - - - 1/31/2007 3:18:58 AM
0 1 2293 392 12241 The page must
be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the
server administrator. 0x0 0x0 Web Proxy Filter
1/30/2007 10:18:58 PM 24.213.58.250 80 http
Failed Connection Attempt Web Server 75.128.225.6 anonymous
External GET http://www.mapsnet.org/
75.128.225.6 GATEWAY -
TCP -
- 1/31/2007
3:18:58 AM 51603 12000 644 2505 0x80074e20
FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall -
1/30/2007 10:18:58 PM 24.213.58.250 80 HTTP Closed
Connection 75.128.225.6 External
Local Host - -
75.128.225.6 GATEWAY -
TCP -
- 1/31/2007
3:18:58 AM 51604 0 0 0 0x0 ERROR_SUCCESS
0x0 0x0 Firewall - 1/30/2007 10:18:58 PM
24.213.58.250 80 HTTP Initiated Connection
75.128.225.6 External Local Host -
-
----------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 1:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
No, that's the whole point; it's not supposed to authenticate incoming
connections! *grin*
Reviewing the logs further, I'm starting to get even more confused. The
"SERVERNAME" portion refers to my PDC, but the IP associated with it in each
request changes from my ISA server to the webserver. Initially, I was looking
at the webserver as a possible culprit, but the more I look at it I'm starting
to look at the ISA server instead.
I'll test it some more tonight if I can, disabling a couple of suspect
rules (and SurfControl) as a test to see if they might be the culprit.
----------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 1:05 PM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
You are authenticating incoming clients??
Against what?
S
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 11:15 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
Okay, now we're getting somewhere. I didn't see anything sticking out, so
I started looking for other events around the same timeframe. I ran across
several WEBDAV entries that repeated themselves about the same timeframe, AND
they contained the same text I saw in IE.
Original Client IP Client Agent Authenticated Client
Service Server Name Referring Server Destination Host Name Transport
MIME Type Object Source Source Proxy Destination Proxy
Bidirectional Client Host Name Filter Information
Network Interface Raw IP Header Raw Payload GMT Log Time
Source Port Processing Time Bytes Sent Bytes
Received Result Code HTTP Status Code Cache Information
Error Information Log Record Type Authentication Server
Log Time Destination IP Destination Port Protocol
Action Rule Client IP Client Username Source
Network Destination Network HTTP Method URL
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy
GATEWAY - SERVERNAME TCP -
Req ID: 13da6168
1/29/2007 2:33:07 AM 0 1 141
146 12241 The page must be viewed over a secure channel
(Secure Sockets Layer (SSL)). Contact the server administrator. 0x0
0x0 Web Proxy Filter - 1/28/2007 9:33:07 PM
24.213.58.250 80 http Failed Connection Attempt
Web Server 75.128.225.6 anonymous External -
OPTIONS http://SERVERNAME/
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy
GATEWAY - servername TCP - Internet
Req ID: 13da616a
1/29/2007 2:33:07 AM 0 16 430
146 200 0x40020000 0xc00 Web Proxy Filter
- 1/28/2007 9:33:07 PM 10.20.1.4 80
https Allowed Connection Web Server 75.128.225.6 anonymous
External - OPTIONS http://servername/
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy
GATEWAY - SERVERNAME TCP -
Req ID: 13da616c
1/29/2007 2:33:07 AM 0 1 152
168 12241 The page must be viewed over a secure channel
(Secure Sockets Layer (SSL)). Contact the server administrator. 0x0
0x0 Web Proxy Filter - 1/28/2007 9:33:07 PM
24.213.58.250 80 http Failed Connection Attempt
Web Server 75.128.225.6 anonymous External -
PROPFIND http://SERVERNAME/Hiddenshare$
Looks like there is a request to my PDC every time, and it is being blocked
because it is an anonymous outbound connection on port 80. That explains why
I'm getting the errors, now to figure out why it is doing that.
----------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 8:09 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
What do the ISA logs say??
S
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 9:00 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
Webserver is on internal network; no SSL required at the webserver itself
(Just tested it again to make sure).
----------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Roy Tsao
Sent: Tuesday, January 30, 2007 12:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The website you published is SSL required, so
- when you publish through HTTP connection, access is denied
- when you redirect to HTTPs by ISA, it works.
Then, you may need to check any changing at your published web server but
not ISA.
----- Original Message -----
From: Ball, Dan
To: isalist@xxxxxxxxxxxxx
Sent: Tuesday, January 30, 2007 1:13 PM
Subject: [isalist] Re: Publishing in ISA2006
Here is the scenario:
- I remove all publishing rules and web listeners, so I can start over.
- I go through the wizard to publish a single webserver. I take all the
defaults, saying no SSL is required.
- When it gets to the part about a web listener, I create a new one,
taking the default settings and specifying no SSL or authentication is required.
- The rule is done; I apply the changes, and test it. I get a 403 error.
- I edit the listener to redirect traffic to HTTPS, and it works.
There must be something simple I missed.
--------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 11:48 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The rule works with the related listener.
You cannot evaluate one without including the other - period.
The listener; not the rule is what determines if HTTP/HTTPS redirection
is possible.
If the listener doesn't accept HTTP, then it can't redirect it to HTTPS.
You're not trying to publish a stealth service, are you?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Monday, January 29, 2007 10:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Not Exchange traffic, but the main web server. They both use the same
listener, so it makes it difficult to modify one but not the other. Once I got
the webserver working, I was planning on taking Tom's suggestion that he had
awhile back and using a redirect page to redirect OWA calls to an alternate
port/listener.
In any case, in this particular instance I'm referring to normal web
traffic that I want in plain-text. Correct me if I'm wrong, but I was under
the assumption that if the publishing rule was not working "non-SSL", then both
the "authenticated traffic" and "all traffic" options would behave the same
way. I.e., they would both return an error if the client wasn't capable of the
connection.
--------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 11:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
You never had ISA 2004 doing the redirects without custom code.
It did not have this option.
Let's get this straight - you want to publish plain-text Exchange web
traffic?!?
Also; "Redirect authenticated traffic from HTTP to HTTPS" option in the
web listener. This works because it redirects all web traffic to HTTPS" is
incorrect; that setting only redirects traffic which has already been
authenticated - probably why only some requests are working. Change it to
redirect "ALL" requests.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Monday, January 29, 2007 8:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Nope, same server, and ISA_Redirects have never been used on that server.
I used to publish the website without requiring SSL, now that is the only way
I can get it to work. In fact, I used the "connections" tab in the listener to
force everything over to HTTPS, just to get it working. I just can't figure
out how to get it publish "without" SSL, as there seem to be some browsers that
have a problem with that method. While I'd like to tell them to fix their own
system and get over it, that won't fly with a "public" website.
Where can I start looking for clues on this problem?
--------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 9:29 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
That error response can only be obtained when web publishing.
IIS response is quite different.
You probably were using the ISA_Redirects tool or something similar and
forgot to move it to the new server.
The good news is that in ISA 2006, such custom mechanisms aren't required.
In the listener "Connections" tab, you can opt to redirect anonymous or
authenticated HTTP connections to HTTPS.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Roy Tsao
Sent: Monday, January 29, 2007 1:18 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Original publishing is SSL bridge or tunneling?
----- Original Message -----
From: Ball, Dan
To: isalist@xxxxxxxxxxxxx
Sent: Monday, January 29, 2007 10:40 AM
Subject: [isalist] Publishing in ISA2006
When I upgraded ISA2004 to ISA2006, my published webserver and Exchange
server no longer worked.
Browsing to the website gave me this error:
Error Code: 403 Forbidden. The page must be viewed over a secure
channel (Secure Sockets Layer (SSL)). Contact the server administrator. (12241)
Typing https:// into the URL allowed the traffic to flow.
The only way I could get it to work was to enable the "Redirect
authenticated traffic from HTTP to HTTPS" option in the web listener. This
works because it redirects all web traffic to HTTPS. However, it doesn't work
for all pages, we have a few pages that have problems, and have had reports
from some people that cannot access the website at all.
So, I need to get this working properly again. I've deleted all of the
publishing rules and the web listener several times, recreating everything from
scratch; it still gives me the same error. I've followed every tutorial I
could find, it appears that I'm doing it correctly. There must be some little
detail that I'm missing with ISA2006. Probably something obvious, but it is
eluding me.
Anyone have any ideas?
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
