http://www.ISAserver.org ------------------------------------------------------- Was this an Exchange publishing scenario? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Thursday, February 22, 2007 11:48 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > http://www.ISAserver.org > ------------------------------------------------------- > > Ok - now I have to play with this. > What auth settings did you have at the FE server? > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Ball, Dan > Sent: Thursday, February 22, 2007 9:12 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > Situation finally resolved, I just KNEW it had to be > something simple! > > > > It took a few days, but I finally got a test server online. Installed > ISA2006, verified it would publish the website properly, then imported > the other ISA server's backup. Had to do some minor tweaks > to adjust it > for a different computer, but got it running and was able to reproduce > the problem (w/o SurfControl or RainConnect). I then spent > quite awhile > purging out all the excess settings to finally get it down a > bare system > with one publishing rule exhibiting the same problem. > > > > I then tried to purge that rule down to the bare minimums, and the > problem disappeared! So, I went through each setting, one-by-one, and > finally found that if you set the Authentication Delegation tab to "No > delegation, but client may authenticate directly", you get the SSL > required response. I changed it to "No delegation, and client cannot > authenticate directly" on the live server, and everything started to > work again! > > > > I know for a fact that I have changed that setting numerous > times during > my testing, so how I didn't stumble across this fix before is > beyond me. > Both of the webservers I publish do support NTLM authentication, so by > the description of that setting you'd think you'd need to have it set. > This is definitely something to keep in mind for future > troubleshooting... > > > > To summarize, if you see this error (and SSL is not specified as a > requirement ANYWHERE): > > Error Code: 403 Forbidden. The page must be viewed over a > secure channel > (Secure Sockets Layer (SSL)). Contact the server > administrator. (12241) > > Check your Authentication Delegation settings! > > > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Ball, Dan > Sent: Tuesday, February 20, 2007 11:16 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > > > Unfortunately, I ran out of time before I was able to do that. I did > attempt to test it, but "all" publishing wasn't working at that time, > and I had to get SurfControl back up and operational in a really short > span of time, so it wasn't completed. I also tried to put RainConnect > back on, but that gave me some serious errors and wouldn't > work at all, > and with the short amount of time I had to work with I ended > up removing > that and bringing the server up with only one ISP just to get it > operational. > > > > I just got off the phone with SurfControl, and they confirmed what I > suspected. That program will "block" SSL or non-SSL, but there is > nothing in the program that will "force" a connection to use > SSL, so we > can "almost" rule that out. Or, at least we can rule out a SC > configuration setting as the culprit. > > > > I have an aide setting up another test ISA server right now, and will > test a clean install (not using the ISA backup) to see if I can narrow > it down a bit more. > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Steve Moffat > Sent: Tuesday, February 20, 2007 10:44 AM > To: ISA Mailing List > Subject: [isalist] Re: Publishing in ISA2006 > > > > Did you try it before you added in rainconnect & surfcontrol..... > > > > S > > > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Ball, Dan > Sent: Tuesday, February 20, 2007 10:43 AM > To: ISA Mailing List > Subject: [isalist] Re: Publishing in ISA2006 > > > > Not that I can tell. It can block SSL or non-SSL > connections, but don't > see anyway to force it to be required. I'll contact > SurfControl and see > if they know of anything like that. > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Tuesday, February 20, 2007 9:12 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > > > Unfortunately, there's no way for me to review the SC > settings - does it > have any way to enforce SSL? > > > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Ball, Dan > Sent: Tuesday, February 20, 2007 5:44 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > > > Well, it appears that it might be a configuration issue. I did an > almost total rebuild yesterday; I exported the ISA settings, formatted > the drive, reinstalled ISA and SurfControl (left RainConnect out), and > got the same exact symptoms. I'm thinking I'm going to have > to rewrite > all my ISA settings from scratch now. > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Sunday, February 11, 2007 5:05 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > > > I did and so far, the data doesn't line up. > > The capture clearly indicates that ISA is the one responding with the > "muse use SSL", but none of the configuration seems to require it. > > I tried your site today and I get a "302" redirect, but the > SSL listener > is apparently deaf. > > This too is a non-functional combination. > > I'll have to format the tracing and see what shakes out. We > may have to > repeat this process a time or two... > > > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Ball, Dan > Sent: Tuesday, February 06, 2007 11:18 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > > > Were you able to make sense of the info I sent you? > > > > ________________________________ > > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Friday, February 02, 2007 11:12 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > > > Get an ISABPAPack in repro mode and send me the results. > > You can get ISABPA from MS downloads. > > The instructions for running ISABPAPack in repro mode are part of the > package. > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx