http://www.ISAserver.org ------------------------------------------------------- Ok - now I have to play with this. What auth settings did you have at the FE server? -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Thursday, February 22, 2007 9:12 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Situation finally resolved, I just KNEW it had to be something simple! It took a few days, but I finally got a test server online. Installed ISA2006, verified it would publish the website properly, then imported the other ISA server's backup. Had to do some minor tweaks to adjust it for a different computer, but got it running and was able to reproduce the problem (w/o SurfControl or RainConnect). I then spent quite awhile purging out all the excess settings to finally get it down a bare system with one publishing rule exhibiting the same problem. I then tried to purge that rule down to the bare minimums, and the problem disappeared! So, I went through each setting, one-by-one, and finally found that if you set the Authentication Delegation tab to "No delegation, but client may authenticate directly", you get the SSL required response. I changed it to "No delegation, and client cannot authenticate directly" on the live server, and everything started to work again! I know for a fact that I have changed that setting numerous times during my testing, so how I didn't stumble across this fix before is beyond me. Both of the webservers I publish do support NTLM authentication, so by the description of that setting you'd think you'd need to have it set. This is definitely something to keep in mind for future troubleshooting... To summarize, if you see this error (and SSL is not specified as a requirement ANYWHERE): Error Code: 403 Forbidden. The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. (12241) Check your Authentication Delegation settings! ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, February 20, 2007 11:16 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Unfortunately, I ran out of time before I was able to do that. I did attempt to test it, but "all" publishing wasn't working at that time, and I had to get SurfControl back up and operational in a really short span of time, so it wasn't completed. I also tried to put RainConnect back on, but that gave me some serious errors and wouldn't work at all, and with the short amount of time I had to work with I ended up removing that and bringing the server up with only one ISP just to get it operational. I just got off the phone with SurfControl, and they confirmed what I suspected. That program will "block" SSL or non-SSL, but there is nothing in the program that will "force" a connection to use SSL, so we can "almost" rule that out. Or, at least we can rule out a SC configuration setting as the culprit. I have an aide setting up another test ISA server right now, and will test a clean install (not using the ISA backup) to see if I can narrow it down a bit more. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Tuesday, February 20, 2007 10:44 AM To: ISA Mailing List Subject: [isalist] Re: Publishing in ISA2006 Did you try it before you added in rainconnect & surfcontrol..... S From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, February 20, 2007 10:43 AM To: ISA Mailing List Subject: [isalist] Re: Publishing in ISA2006 Not that I can tell. It can block SSL or non-SSL connections, but don't see anyway to force it to be required. I'll contact SurfControl and see if they know of anything like that. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, February 20, 2007 9:12 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Unfortunately, there's no way for me to review the SC settings - does it have any way to enforce SSL? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, February 20, 2007 5:44 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Well, it appears that it might be a configuration issue. I did an almost total rebuild yesterday; I exported the ISA settings, formatted the drive, reinstalled ISA and SurfControl (left RainConnect out), and got the same exact symptoms. I'm thinking I'm going to have to rewrite all my ISA settings from scratch now. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Sunday, February 11, 2007 5:05 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 I did and so far, the data doesn't line up. The capture clearly indicates that ISA is the one responding with the "muse use SSL", but none of the configuration seems to require it. I tried your site today and I get a "302" redirect, but the SSL listener is apparently deaf. This too is a non-functional combination. I'll have to format the tracing and see what shakes out. We may have to repeat this process a time or two... From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, February 06, 2007 11:18 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Were you able to make sense of the info I sent you? ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, February 02, 2007 11:12 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Get an ISABPAPack in repro mode and send me the results. You can get ISABPA from MS downloads. The instructions for running ISABPAPack in repro mode are part of the package. All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx