[isalist] Re: Publishing in ISA2006
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 22 Feb 2007 09:48:06 -0800
http://www.ISAserver.org
-------------------------------------------------------
Ok - now I have to play with this.
What auth settings did you have at the FE server?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Thursday, February 22, 2007 9:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Situation finally resolved, I just KNEW it had to be something simple!
It took a few days, but I finally got a test server online. Installed
ISA2006, verified it would publish the website properly, then imported
the other ISA server's backup. Had to do some minor tweaks to adjust it
for a different computer, but got it running and was able to reproduce
the problem (w/o SurfControl or RainConnect). I then spent quite awhile
purging out all the excess settings to finally get it down a bare system
with one publishing rule exhibiting the same problem.
I then tried to purge that rule down to the bare minimums, and the
problem disappeared! So, I went through each setting, one-by-one, and
finally found that if you set the Authentication Delegation tab to "No
delegation, but client may authenticate directly", you get the SSL
required response. I changed it to "No delegation, and client cannot
authenticate directly" on the live server, and everything started to
work again!
I know for a fact that I have changed that setting numerous times during
my testing, so how I didn't stumble across this fix before is beyond me.
Both of the webservers I publish do support NTLM authentication, so by
the description of that setting you'd think you'd need to have it set.
This is definitely something to keep in mind for future
troubleshooting...
To summarize, if you see this error (and SSL is not specified as a
requirement ANYWHERE):
Error Code: 403 Forbidden. The page must be viewed over a secure channel
(Secure Sockets Layer (SSL)). Contact the server administrator. (12241)
Check your Authentication Delegation settings!
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, February 20, 2007 11:16 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Unfortunately, I ran out of time before I was able to do that. I did
attempt to test it, but "all" publishing wasn't working at that time,
and I had to get SurfControl back up and operational in a really short
span of time, so it wasn't completed. I also tried to put RainConnect
back on, but that gave me some serious errors and wouldn't work at all,
and with the short amount of time I had to work with I ended up removing
that and bringing the server up with only one ISP just to get it
operational.
I just got off the phone with SurfControl, and they confirmed what I
suspected. That program will "block" SSL or non-SSL, but there is
nothing in the program that will "force" a connection to use SSL, so we
can "almost" rule that out. Or, at least we can rule out a SC
configuration setting as the culprit.
I have an aide setting up another test ISA server right now, and will
test a clean install (not using the ISA backup) to see if I can narrow
it down a bit more.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Tuesday, February 20, 2007 10:44 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
Did you try it before you added in rainconnect & surfcontrol.....
S
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, February 20, 2007 10:43 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
Not that I can tell. It can block SSL or non-SSL connections, but don't
see anyway to force it to be required. I'll contact SurfControl and see
if they know of anything like that.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, February 20, 2007 9:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Unfortunately, there's no way for me to review the SC settings - does it
have any way to enforce SSL?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, February 20, 2007 5:44 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Well, it appears that it might be a configuration issue. I did an
almost total rebuild yesterday; I exported the ISA settings, formatted
the drive, reinstalled ISA and SurfControl (left RainConnect out), and
got the same exact symptoms. I'm thinking I'm going to have to rewrite
all my ISA settings from scratch now.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Sunday, February 11, 2007 5:05 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
I did and so far, the data doesn't line up.
The capture clearly indicates that ISA is the one responding with the
"muse use SSL", but none of the configuration seems to require it.
I tried your site today and I get a "302" redirect, but the SSL listener
is apparently deaf.
This too is a non-functional combination.
I'll have to format the tracing and see what shakes out. We may have to
repeat this process a time or two...
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, February 06, 2007 11:18 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Were you able to make sense of the info I sent you?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, February 02, 2007 11:12 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Get an ISABPAPack in repro mode and send me the results.
You can get ISABPA from MS downloads.
The instructions for running ISABPAPack in repro mode are part of the
package.
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
