[isalist] Re: Publishing in ISA2006
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Feb 2007 09:23:00 -0800
If your ISA continues to regurgitate "must use SSL", then it's
definitely required *somewhere*.
Get simultaneous captures during your HTTP connection test and I'll tell
you for certain who is responding this way.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Thursday, February 01, 2007 6:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Done that a dozen times, and use both of those same websites constantly
throughout the day from the Intranet. SSL is definitely NOT required at
the IIS end...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Gerald G. Young
Sent: Thursday, February 01, 2007 8:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
I'm beginning to think the same thing.
You might want to check the website on the web server in which it
resides and make sure that either that web server or website is not
requiring that users use SSL to access the content.
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Wednesday, January 31, 2007 9:11 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The internal application must be requring SSL then if the Web Publishing
isnt' and the Web listener isn't configured to require SSL.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Wednesday, January 31, 2007 8:01 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
You are correct, that is not what I want. But, whenever I
disable the redirect users get a 403 forbidden error.
I'd be happy to disable all SSL on the listener, but for some
reason it won't work without it.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Wednesday, January 31, 2007 6:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
You can't have it both ways - either you want SSL publishing or
you don't.
If you configure the rule to "redirect HTTP to HTTPS", then you
force the users to connect using HTTPS, which you say you don't want.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Wednesday, January 31, 2007 11:39 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Please excuse my poor description; it is a difficult problem to
describe.
To summarize, I do NOT want to redirect ANY traffic on this rule
to HTTPS, but have "had" to do that because it won't work without it. I
wasn't ignoring your clues; they were just describing what I already had
done as a "patch" to get it working.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Wednesday, January 31, 2007 12:41 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Clues have been provided and ignored.
If you want ISA to redirect HTTP to HTTPS, then you have three
choices:
1. Configure this at the listener - of course, you have to
allow HTTP at the listener for this to work and this only works for ISA
2006
2. Create a "deny" rule that uses a redirect URL for any
HTTP connections - of course, this means you have to allow HTTP at the
related listener
3. Use a custom "redirector" such as ISA_Redirects.zip or
other
If all you do is configure the publishing rule to "notify HTTP
users to use HTTPS instead", you get the behavior you've been describing
all along and is indicated in the logs.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Wednesday, January 31, 2007 9:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
I'm publishing two separate webservers right now and they are
both having the same problem, and both are reachable from the Intranet
with no SSL required.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Wednesday, January 31, 2007 8:59 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
- You may create another test webserver
- Use your exising publishing rule to publish that new test site
I am still wondering the configuration at your web server side.
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Wednesday, January 31, 2007 8:57 PM
Subject: [isalist] Re: Publishing in ISA2006
Okay, I worked on it for quite awhile, cleaned up rules
and removed defined protocols that weren't in use anymore, and still get
the error... I was able to possibly identify the cause of the previous
log though, and bring it down to three log entries that occur every time
I attempt to access the website when the redirect to HTTPS is disabled.
Original Client IP Client Agent
Authenticated Client Service Server Name Referring Server
Destination Host Name Transport MIME Type Object
Source Source Proxy Destination Proxy Bidirectional
Client Host Name Filter Information Network Interface
Raw IP Header Raw Payload GMT Log Time Source Port
Processing Time Bytes Sent Bytes Received Result Code
HTTP Status Code Cache Information Error Information
Log Record Type Authentication Server Log Time
Destination IP Destination Port Protocol Action
Rule Client IP Client Username Source Network
Destination Network HTTP Method URL
0.0.0.0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; MAPSIE; InfoPath.2;
MAPSIE) Yes Reverse Proxy GATEWAY
www.mapsnet.org TCP - -
- Req ID: 13fae90a - - -
1/31/2007 3:18:58 AM 0 1 2293 392
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator. 0x0 0x0
Web Proxy Filter 1/30/2007 10:18:58 PM
24.213.58.250 80 http Failed Connection Attempt
Web Server 75.128.225.6 anonymous External
GET http://www.mapsnet.org/
75.128.225.6
GATEWAY - TCP -
- 1/31/2007 3:18:58 AM
51603 12000 644 2505 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
0x0 0x0 Firewall - 1/30/2007 10:18:58 PM
24.213.58.250 80 HTTP Closed Connection
75.128.225.6 External Local Host -
-
75.128.225.6
GATEWAY - TCP -
- 1/31/2007 3:18:58 AM
51604 0 0 0 0x0 ERROR_SUCCESS
0x0 0x0 Firewall - 1/30/2007 10:18:58 PM
24.213.58.250 80 HTTP Initiated Connection
75.128.225.6 External Local Host -
-
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 1:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
No, that's the whole point; it's not supposed to
authenticate incoming connections! *grin*
Reviewing the logs further, I'm starting to get even
more confused... The "SERVERNAME" portion refers to my PDC, but the IP
associated with it in each request changes from my ISA server to the
webserver. Initially, I was looking at the webserver as a possible
culprit, but the more I look at it I'm starting to look at the ISA
server instead.
I'll test it some more tonight if I can, disabling a
couple of suspect rules (and SurfControl) as a test to see if they might
be the culprit.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 1:05 PM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
You are authenticating incoming clients??
Against what?
S
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 11:15 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
Okay, now we're getting somewhere... I didn't see
anything sticking out, so I started looking for other events around the
same timeframe. I ran across several WEBDAV entries that repeated
themselves about the same timeframe, AND they contained the same text I
saw in IE...
Original Client IP Client Agent
Authenticated Client Service Server Name Referring Server
Destination Host Name Transport MIME Type Object
Source Source Proxy Destination Proxy Bidirectional
Client Host Name Filter Information Network Interface
Raw IP Header Raw Payload GMT Log Time Source Port
Processing Time Bytes Sent Bytes Received Result Code
HTTP Status Code Cache Information Error Information
Log Record Type Authentication Server Log Time
Destination IP Destination Port Protocol Action
Rule Client IP Client Username Source Network
Destination Network HTTP Method URL
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000
Reverse Proxy GATEWAY - SERVERNAME TCP -
Req ID: 13da6168 1/29/2007
2:33:07 AM 0 1 141 146
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator. 0x0
0x0 Web Proxy Filter - 1/28/2007 9:33:07 PM
24.213.58.250 80 http Failed Connection Attempt
Web Server 75.128.225.6 anonymous External
- OPTIONS http://SERVERNAME/
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000
Reverse Proxy GATEWAY - servername TCP -
Internet Req ID:
13da616a 1/29/2007 2:33:07
AM 0 16 430 146 200
0x40020000 0xc00 Web Proxy Filter -
1/28/2007 9:33:07 PM 10.20.1.4 80 https
Allowed Connection Web Server 75.128.225.6 anonymous
External - OPTIONS http://servername/
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000
Reverse Proxy GATEWAY - SERVERNAME TCP -
Req ID: 13da616c 1/29/2007
2:33:07 AM 0 1 152 168
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator. 0x0
0x0 Web Proxy Filter - 1/28/2007 9:33:07 PM
24.213.58.250 80 http Failed Connection Attempt
Web Server 75.128.225.6 anonymous External
- PROPFIND http://SERVERNAME/Hiddenshare$
<http://technology/Technology$>
Looks like there is a request to my PDC every time, and
it is being blocked because it is an anonymous outbound connection on
port 80. That explains why I'm getting the errors, now to figure out
why it is doing that.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 8:09 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
What do the ISA logs say??
S
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 9:00 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
Webserver is on internal network; no SSL required at the
webserver itself (Just tested it again to make sure).
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Tuesday, January 30, 2007 12:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The website you published is SSL required, so
- when you publish through HTTP connection, access is
denied
- when you redirect to HTTPs by ISA, it works.
Then, you may need to check any changing at your
published web server but
not ISA.
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Tuesday, January 30, 2007 1:13 PM
Subject: [isalist] Re: Publishing in ISA2006
Here is the scenario:
- I remove all publishing rules and web
listeners, so I can start over.
- I go through the wizard to publish a single
webserver. I take all the defaults, saying no SSL is required.
- When it gets to the part about a web listener,
I create a new one, taking the default settings and specifying no SSL or
authentication is required.
- The rule is done; I apply the changes, and
test it. I get a 403 error.
- I edit the listener to redirect traffic to
HTTPS, and it works.
There must be something simple I missed...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 11:48 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The rule works with the related listener.
You cannot evaluate one without including the
other - period.
The listener; not the rule is what determines if
HTTP/HTTPS redirection is possible.
If the listener doesn't accept HTTP, then it
can't redirect it to HTTPS.
You're not trying to publish a stealth service,
are you?
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Monday, January 29, 2007 10:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Not Exchange traffic, but the main web server.
They both use the same listener, so it makes it difficult to modify one
but not the other. Once I got the webserver working, I was planning on
taking Tom's suggestion that he had awhile back and using a redirect
page to redirect OWA calls to an alternate port/listener.
In any case, in this particular instance I'm
referring to normal web traffic that I want in plain-text. Correct me
if I'm wrong, but I was under the assumption that if the publishing rule
was not working "non-SSL", then both the "authenticated traffic" and
"all traffic" options would behave the same way. I.e., they would both
return an error if the client wasn't capable of the connection.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 11:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
You never had ISA 2004 doing the redirects
without custom code.
It did not have this option.
Let's get this straight - you want to publish
plain-text Exchange web traffic?!?
Also; "Redirect authenticated traffic from HTTP
to HTTPS" option in the web listener. This works because it redirects
all web traffic to HTTPS" is incorrect; that setting only redirects
traffic which has already been authenticated - probably why only some
requests are working. Change it to redirect "ALL" requests.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Monday, January 29, 2007 8:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Nope, same server, and ISA_Redirects have never
been used on that server. I used to publish the website without
requiring SSL, now that is the only way I can get it to work. In fact,
I used the "connections" tab in the listener to force everything over to
HTTPS, just to get it working. I just can't figure out how to get it
publish "without" SSL, as there seem to be some browsers that have a
problem with that method. While I'd like to tell them to fix their own
system and get over it, that won't fly with a "public" website.
Where can I start looking for clues on this
problem?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 9:29 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
That error response can only be obtained when
web publishing.
IIS response is quite different.
You probably were using the ISA_Redirects tool
or something similar and forgot to move it to the new server.
The good news is that in ISA 2006, such custom
mechanisms aren't required.
In the listener "Connections" tab, you can opt
to redirect anonymous or authenticated HTTP connections to HTTPS.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Monday, January 29, 2007 1:18 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Original publishing is SSL bridge or tunneling?
----- Original Message -----
From: Ball, Dan
<mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Monday, January 29, 2007 10:40 AM
Subject: [isalist] Publishing in ISA2006
When I upgraded ISA2004 to ISA2006, my
published webserver and Exchange server no longer worked.
Browsing to the website gave me this
error:
Error Code: 403 Forbidden. The page must
be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact
the server administrator. (12241)
Typing https:// into the URL allowed the
traffic to flow.
The only way I could get it to work was
to enable the "Redirect authenticated traffic from HTTP to HTTPS" option
in the web listener. This works because it redirects all web traffic to
HTTPS. However, it doesn't work for all pages, we have a few pages that
have problems, and have had reports from some people that cannot access
the website at all.
So, I need to get this working properly
again. I've deleted all of the publishing rules and the web listener
several times, recreating everything from scratch; it still gives me the
same error. I've followed every tutorial I could find, it appears that
I'm doing it correctly. There must be some little detail that I'm
missing with ISA2006. Probably something obvious, but it is eluding
me...
Anyone have any ideas?
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
