[isalist] Re: Publishing in ISA2006

Yes, your repost does sound almost exactly like the issue I'm seeing
here.  Searching on that information, I found the original forum post
you were quoting at 
http://forums.isaserver.org/ISA_Appends_port_:0_when_redirecting_to_http
s_-_breaks_in_firefox/m_2002030622/tm.htm, and there is doesn't sound as
similar...

 

But, KB 927265 does sound like a good candidate for investigation.  

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Gerald G. Young
Sent: Thursday, February 01, 2007 9:03 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

Then again,

 

Maybe not.

 

Found this... not sure if you've already been down this road or not but
the symptoms do fit what you have below, although the situation does
not.

Looking in the logs I see the client connecting to ISA but not getting
redirected to a web server in the farm. ISA sees them trying on port 80,
says there was a failed connection attempt, and gives me an http status
code of 12241. I can't find the definition of that status code
anywhere."

After some research, Calvin found this answer:

"I finally got this fixed. Turns out it is related to a bug in the Link
Translation module. I'm not 100% sure how that plays in since I am
actually using the redirection option but it must use something from
link translation to redirect the user. There is a hotfix #927265 that
fixes the problem. If anyone else is seeing this though, that hotfix is
not released publicly yet so you have to contact Microsoft support to
get the download. 

Cordially yours,

Jerry G. Young II

Application Engineer, Platform Engineering and Architecture

NTT America, an NTT Communications Company

 

22451 Shaw Rd.

Sterling, VA 20166

 

Office: 571-434-1319

Fax: 703-333-6749

Email: g.young@xxxxxxxx

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Gerald G. Young
Sent: Thursday, February 01, 2007 8:48 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

Dan,

 

Check the web server/site configuration (in IIS if a Windows box).  It
does sound like the SSL requirement is set there.

 

"The page must be viewed over a secure channel (Secure Sockets Layer
(SSL))"

 

I also see the first line of the log below saying that the attempt to
connect over 80 failed but it went through ISA just fine.

 

Cordially yours,

Jerry G. Young II

Application Engineer, Platform Engineering and Architecture

NTT America, an NTT Communications Company

 

22451 Shaw Rd.

Sterling, VA 20166

 

Office: 571-434-1319

Fax: 703-333-6749

Email: g.young@xxxxxxxx

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Thursday, February 01, 2007 8:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

Okay, so it is rule-based, that narrows down the troubleshooting
significantly...

 

When I ditch the "must use HTTPS" option in the listener (I cannot do it
in the rule), I get this these three log entries when trying to access
the website:

HTTP Status Code

Cache Information

Error Information

Log Record Type

Authentication Server

Log Time

Destination IP

Destination Port

Protocol

Action

Rule

Client IP

Client Username

Source Network

Destination Network

HTTP Method

URL

12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator. 

0x0

0x0

Web Proxy Filter

 

1/30/2007 10:18:58 PM

24.213.58.250

80

http

Failed Connection Attempt

Web Server

75.128.225.6

anonymous

External

 

GET

http://www.mapsnet.org/

 

0x0

0x0

Firewall

-

1/30/2007 10:18:58 PM

24.213.58.250

80

HTTP

Closed Connection

 

75.128.225.6

 

External

Local Host

-

-

 

0x0

0x0

Firewall

-

1/30/2007 10:18:58 PM

24.213.58.250

80

HTTP

Initiated Connection

 

75.128.225.6

 

External

Local Host

-

-

 

 

And when I say I cannot disable the option in the rule, this is why:

 

 

I've recreated this rule many times, and the web publishing wizard
always grays out the options that seem to be relevant...

 

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Thursday, February 01, 2007 12:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

The rule, not the website is returning that result.

12211 is an ISA; not an IIS response code.

You get this in your ISA logs because your rule is configured this way.

Your rule reacts this way because you told it to.

 

Users get a 403 because their request doesn't match ISA policy
requirements.

Ditch the "must use HTTPS" option in the rule and troubleshoot the
rule-based denial.

 

All mail to and from this domain is GFI-scanned.

JPEG image

Other related posts: