[isalist] Re: Publishing in ISA2006

  • From: "Ball, Dan" <DBall@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 31 Jan 2007 22:11:37 -0500

Man, you are a true sadist!  I lost count of how many hours I spent to
get RainConnect and SurfControl working, and you want me to start over?
Ack! 

 

Actually, if I can't figure it out, I might have to resort to a nuke and
pave route...  Hope not though...

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Wednesday, January 31, 2007 9:12 PM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006

 

This is a vanilla install of ISA? No 3rd party addons? Surfcontrol I
seem to remember is your fav...:-)

 

Uninstall Surfcontrol, delete your rules and listeners and start from
scratch just by publishing the standard website.

 

 and see if it works...

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Wednesday, January 31, 2007 10:01 PM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006

 

You are correct, that is not what I want.  But, whenever I disable the
redirect users get a 403 forbidden error.  

I'd be happy to disable all SSL on the listener, but for some reason it
won't work without it.

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, January 31, 2007 6:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

You can't have it both ways - either you want SSL publishing or you
don't.

If you configure the rule to "redirect HTTP to HTTPS", then you force
the users to connect using HTTPS, which you say you don't want.

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Wednesday, January 31, 2007 11:39 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

Please excuse my poor description; it is a difficult problem to
describe.  

 

To summarize, I do NOT want to redirect ANY traffic on this rule to
HTTPS, but have "had" to do that because it won't work without it.  I
wasn't ignoring your clues; they were just describing what I already had
done as a "patch" to get it working.

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, January 31, 2007 12:41 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

Clues have been provided and ignored.

If you want ISA to redirect HTTP to HTTPS, then you have three choices:

1.      Configure this at the listener - of course, you have to allow
HTTP at the listener for this to work and this only works for ISA 2006

2.      Create a "deny" rule that uses a redirect URL for any HTTP
connections - of course, this means you have to allow HTTP at the
related listener

3.      Use a custom "redirector" such as  ISA_Redirects.zip or other

 

If all you do is configure the publishing rule to "notify HTTP users to
use HTTPS instead", you get the behavior you've been describing all
along and is indicated in the logs.

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Wednesday, January 31, 2007 9:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

I'm publishing two separate webservers right now and they are both
having the same problem, and both are reachable from the Intranet with
no SSL required.  

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Roy Tsao
Sent: Wednesday, January 31, 2007 8:59 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

- You may create another test webserver

- Use your exising publishing rule to publish that new test site

I am still wondering the configuration at your web server side.

        ----- Original Message ----- 

        From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>  

        To: isalist@xxxxxxxxxxxxx 

        Sent: Wednesday, January 31, 2007 8:57 PM

        Subject: [isalist] Re: Publishing in ISA2006

         

        Okay, I worked on it for quite awhile, cleaned up rules and
removed defined protocols that weren't in use anymore, and still get the
error...  I was able to possibly identify the cause of the previous log
though, and bring it down to three log entries that occur every time I
attempt to access the website when the redirect to HTTPS is disabled.

         

        Original Client IP            Client Agent      Authenticated
Client       Service  Server Name      Referring Server Destination Host
Name    Transport           MIME Type        Object Source   Source
Proxy    Destination Proxy          Bidirectional      Client Host Name
Filter Information            Network Interface           Raw IP Header
Raw Payload     GMT Log Time   Source Port            Processing Time
Bytes Sent        Bytes Received  Result Code      HTTP Status Code
Cache Information            Error Information            Log Record
Type            Authentication Server     Log Time           Destination
IP    Destination Port      Protocol            Action   Rule
Client IP            Client Username            Source Network
Destination Network            HTTP Method    URL

        0.0.0.0  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; MAPSIE; InfoPath.2;
MAPSIE)      Yes      Reverse Proxy   GATEWAY
www.mapsnet.org          TCP                              -            -
-           Req ID: 13fae90a           -           -           -
1/31/2007 3:18:58 AM    0          1          2293            392
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator.       0x0       0x0
Web Proxy Filter                        1/30/2007 10:18:58 PM
24.213.58.250    80         http            Failed Connection Attempt
Web Server       75.128.225.6     anonymous       External
GET            http://www.mapsnet.org/

        75.128.225.6                                         GATEWAY
-                       TCP      -
-                                               1/31/2007 3:18:58 AM
51603   12000   644       2505     0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
0x0       0x0       Firewall -           1/30/2007 10:18:58 PM
24.213.58.250    80            HTTP    Closed Connection
75.128.225.6                 External            Local Host         -
-

        75.128.225.6                                         GATEWAY
-                       TCP      -
-                                               1/31/2007 3:18:58 AM
51604   0          0          0          0x0 ERROR_SUCCESS
0x0       0x0       Firewall -           1/30/2007 10:18:58 PM
24.213.58.250    80         HTTP    Initiated Connection
75.128.225.6                 External            Local Host         -
-

         

         

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
        Sent: Tuesday, January 30, 2007 1:20 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        No, that's the whole point; it's not supposed to authenticate
incoming connections! *grin* 

         

        Reviewing the logs further, I'm starting to get even more
confused...  The "SERVERNAME" portion refers to my PDC, but the IP
associated with it in each request changes from my ISA server to the
webserver.  Initially, I was looking at the webserver as a possible
culprit, but the more I look at it I'm starting to look at the ISA
server instead.

         

        I'll test it some more tonight if I can, disabling a couple of
suspect rules (and SurfControl) as a test to see if they might be the
culprit.

         

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
        Sent: Tuesday, January 30, 2007 1:05 PM
        To: ISA Mailing List
        Subject: [isalist] Re: Publishing in ISA2006

         

        You are authenticating incoming clients??

         

        Against what?

         

        S

         

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
        Sent: Tuesday, January 30, 2007 11:15 AM
        To: ISA Mailing List
        Subject: [isalist] Re: Publishing in ISA2006

         

        Okay, now we're getting somewhere...  I didn't see anything
sticking out, so I started looking for other events around the same
timeframe.  I ran across several WEBDAV entries that repeated themselves
about the same timeframe, AND they contained the same text I saw in
IE...

         

         

        Original Client IP            Client Agent      Authenticated
Client       Service  Server Name      Referring Server Destination Host
Name    Transport           MIME Type        Object Source   Source
Proxy    Destination Proxy          Bidirectional      Client Host Name
Filter Information            Network Interface           Raw IP Header
Raw Payload     GMT Log Time   Source Port            Processing Time
Bytes Sent        Bytes Received  Result Code      HTTP Status Code
Cache Information            Error Information            Log Record
Type            Authentication Server     Log Time           Destination
IP    Destination Port      Protocol            Action   Rule
Client IP            Client Username            Source Network
Destination Network            HTTP Method    URL

        0.0.0.0  Microsoft-WebDAV-MiniRedir/6.0.6000
Reverse Proxy   GATEWAY        -           SERVERNAME TCP      -
Req ID: 13da6168                                              1/29/2007
2:33:07 AM    0            1          141       146
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator.             0x0
0x0       Web Proxy Filter            -           1/28/2007 9:33:07 PM
24.213.58.250    80         http       Failed Connection Attempt
Web Server       75.128.225.6     anonymous            External
-           OPTIONS          http://SERVERNAME/

        0.0.0.0  Microsoft-WebDAV-MiniRedir/6.0.6000
Reverse Proxy   GATEWAY        -           servername        TCP      -
Internet                                                 Req ID:
13da616a                                              1/29/2007 2:33:07
AM    0            16         430       146                   200
0x40020000       0xc00   Web Proxy Filter            -
1/28/2007 9:33:07 PM       10.20.1.4           80         https
Allowed Connection        Web Server       75.128.225.6     anonymous
External            -           OPTIONS          http://servername/

        0.0.0.0  Microsoft-WebDAV-MiniRedir/6.0.6000
Reverse Proxy   GATEWAY        -           SERVERNAME TCP      -
Req ID: 13da616c                                              1/29/2007
2:33:07 AM    0            1          152       168
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator.             0x0
0x0       Web Proxy Filter            -           1/28/2007 9:33:07 PM
24.213.58.250    80         http       Failed Connection Attempt
Web Server       75.128.225.6     anonymous            External
-           PROPFIND        http://SERVERNAME/Hiddenshare$
<http://technology/Technology$> 

         

        Looks like there is a request to my PDC every time, and it is
being blocked because it is an anonymous outbound connection on port 80.
That explains why I'm getting the errors, now to figure out why it is
doing that.

         

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
        Sent: Tuesday, January 30, 2007 8:09 AM
        To: ISA Mailing List
        Subject: [isalist] Re: Publishing in ISA2006

         

        What do the ISA logs say??

        S

         

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
        Sent: Tuesday, January 30, 2007 9:00 AM
        To: ISA Mailing List
        Subject: [isalist] Re: Publishing in ISA2006

         

        Webserver is on internal network; no SSL required at the
webserver itself (Just tested it again to make sure).

         

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
        Sent: Tuesday, January 30, 2007 12:40 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        The website you published is SSL required, so

        - when you publish through HTTP connection, access is denied

        - when you redirect to HTTPs by ISA, it works.

        Then, you may need to check any changing at your published web
server but

        not ISA.

         

         

         

                ----- Original Message ----- 

                From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>  

                To: isalist@xxxxxxxxxxxxx 

                Sent: Tuesday, January 30, 2007 1:13 PM

                Subject: [isalist] Re: Publishing in ISA2006

                 

                Here is the scenario:

                - I remove all publishing rules and web listeners, so I
can start over.

                - I go through the wizard to publish a single webserver.
I take all the defaults, saying no SSL is required.

                - When it gets to the part about a web listener, I
create a new one, taking the default settings and specifying no SSL or
authentication is required.

                - The rule is done; I apply the changes, and test it.  I
get a 403 error.

                - I edit the listener to redirect traffic to HTTPS, and
it works.

                 

                There must be something simple I missed...

                 

                
________________________________


                From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
                Sent: Monday, January 29, 2007 11:48 PM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: Publishing in ISA2006

                 

                The rule works with the related listener.

                You cannot evaluate one without including the other -
period.

                The listener; not the rule is what determines if
HTTP/HTTPS redirection is possible.

                If the listener doesn't accept HTTP, then it can't
redirect it to HTTPS.

                You're not trying to publish a stealth service, are you?

                 

                From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
                Sent: Monday, January 29, 2007 10:51 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: Publishing in ISA2006

                 

                Not Exchange traffic, but the main web server.  They
both use the same listener, so it makes it difficult to modify one but
not the other.  Once I got the webserver working, I was planning on
taking Tom's suggestion that he had awhile back and using a redirect
page to redirect OWA calls to an alternate port/listener.

                 

                In any case, in this particular instance I'm referring
to normal web traffic that I want in plain-text.  Correct me if I'm
wrong, but I was under the assumption that if the publishing rule was
not working "non-SSL", then both the "authenticated traffic" and "all
traffic" options would behave the same way.  I.e., they would both
return an error if the client wasn't capable of the connection.  

                 

                
________________________________


                From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
                Sent: Monday, January 29, 2007 11:57 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: Publishing in ISA2006

                 

                You never had ISA 2004 doing the redirects without
custom code.

                It did not have this option.

                 

                Let's get this straight - you want to publish plain-text
Exchange web traffic?!?

                Also; "Redirect authenticated traffic from HTTP to
HTTPS" option in the web listener.  This works because it redirects all
web traffic to HTTPS" is incorrect; that setting only redirects traffic
which has already been authenticated - probably why only some requests
are working.  Change it to redirect "ALL" requests.

                 

                From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
                Sent: Monday, January 29, 2007 8:04 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: Publishing in ISA2006

                 

                Nope, same server, and ISA_Redirects have never been
used on that server.  I used to publish the website without requiring
SSL, now that is the only way I can get it to work.  In fact, I used the
"connections" tab in the listener to force everything over to HTTPS,
just to get it working.  I just can't figure out how to get it publish
"without" SSL, as there seem to be some browsers that have a problem
with that method.  While I'd like to tell them to fix their own system
and get over it, that won't fly with a "public" website.  

                 

                Where can I start looking for clues on this problem?

                 

                
________________________________


                From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
                Sent: Monday, January 29, 2007 9:29 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: Publishing in ISA2006

                 

                That error response can only be obtained when web
publishing.

                IIS response is quite different.

                You probably were using the ISA_Redirects tool or
something similar and forgot to move it to the new server.

                The good news is that in ISA 2006, such custom
mechanisms aren't required.

                In the listener "Connections" tab, you can opt to
redirect anonymous or authenticated HTTP connections to HTTPS.

                 

                From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
                Sent: Monday, January 29, 2007 1:18 AM
                To: isalist@xxxxxxxxxxxxx
                Subject: [isalist] Re: Publishing in ISA2006

                 

                Original publishing is SSL bridge or tunneling?

                        ----- Original Message ----- 

                        From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>  

                        To: isalist@xxxxxxxxxxxxx 

                        Sent: Monday, January 29, 2007 10:40 AM

                        Subject: [isalist] Publishing in ISA2006

                         

                        When I upgraded ISA2004 to ISA2006, my published
webserver and Exchange server no longer worked.  

                         

                        Browsing to the website gave me this error:

                        Error Code: 403 Forbidden. The page must be
viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the
server administrator. (12241)

                         

                        Typing https:// into the URL allowed the traffic
to flow.

                         

                        The only way I could get it to work was to
enable the "Redirect authenticated traffic from HTTP to HTTPS" option in
the web listener.  This works because it redirects all web traffic to
HTTPS.  However, it doesn't work for all pages, we have a few pages that
have problems, and have had reports from some people that cannot access
the website at all.

                         

                        So, I need to get this working properly again.
I've deleted all of the publishing rules and the web listener several
times, recreating everything from scratch; it still gives me the same
error.  I've followed every tutorial I could find, it appears that I'm
doing it correctly.  There must be some little detail that I'm missing
with ISA2006.  Probably something obvious, but it is eluding me...

                         

                        Anyone have any ideas?

                All mail to and from this domain is GFI-scanned.

                All mail to and from this domain is GFI-scanned.

                All mail to and from this domain is GFI-scanned.

All mail to and from this domain is GFI-scanned.

Other related posts: