[isalist] Re: Publishing in ISA2006
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 22 Feb 2007 12:06:11 -0600
http://www.ISAserver.org
-------------------------------------------------------
Was this an Exchange publishing scenario?
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Thursday, February 22, 2007 11:48 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Ok - now I have to play with this.
> What auth settings did you have at the FE server?
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Thursday, February 22, 2007 9:12 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
> Situation finally resolved, I just KNEW it had to be
> something simple!
>
>
>
> It took a few days, but I finally got a test server online. Installed
> ISA2006, verified it would publish the website properly, then imported
> the other ISA server's backup. Had to do some minor tweaks
> to adjust it
> for a different computer, but got it running and was able to reproduce
> the problem (w/o SurfControl or RainConnect). I then spent
> quite awhile
> purging out all the excess settings to finally get it down a
> bare system
> with one publishing rule exhibiting the same problem.
>
>
>
> I then tried to purge that rule down to the bare minimums, and the
> problem disappeared! So, I went through each setting, one-by-one, and
> finally found that if you set the Authentication Delegation tab to "No
> delegation, but client may authenticate directly", you get the SSL
> required response. I changed it to "No delegation, and client cannot
> authenticate directly" on the live server, and everything started to
> work again!
>
>
>
> I know for a fact that I have changed that setting numerous
> times during
> my testing, so how I didn't stumble across this fix before is
> beyond me.
> Both of the webservers I publish do support NTLM authentication, so by
> the description of that setting you'd think you'd need to have it set.
> This is definitely something to keep in mind for future
> troubleshooting...
>
>
>
> To summarize, if you see this error (and SSL is not specified as a
> requirement ANYWHERE):
>
> Error Code: 403 Forbidden. The page must be viewed over a
> secure channel
> (Secure Sockets Layer (SSL)). Contact the server
> administrator. (12241)
>
> Check your Authentication Delegation settings!
>
>
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Tuesday, February 20, 2007 11:16 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Unfortunately, I ran out of time before I was able to do that. I did
> attempt to test it, but "all" publishing wasn't working at that time,
> and I had to get SurfControl back up and operational in a really short
> span of time, so it wasn't completed. I also tried to put RainConnect
> back on, but that gave me some serious errors and wouldn't
> work at all,
> and with the short amount of time I had to work with I ended
> up removing
> that and bringing the server up with only one ISP just to get it
> operational.
>
>
>
> I just got off the phone with SurfControl, and they confirmed what I
> suspected. That program will "block" SSL or non-SSL, but there is
> nothing in the program that will "force" a connection to use
> SSL, so we
> can "almost" rule that out. Or, at least we can rule out a SC
> configuration setting as the culprit.
>
>
>
> I have an aide setting up another test ISA server right now, and will
> test a clean install (not using the ISA backup) to see if I can narrow
> it down a bit more.
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Steve Moffat
> Sent: Tuesday, February 20, 2007 10:44 AM
> To: ISA Mailing List
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Did you try it before you added in rainconnect & surfcontrol.....
>
>
>
> S
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Tuesday, February 20, 2007 10:43 AM
> To: ISA Mailing List
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Not that I can tell. It can block SSL or non-SSL
> connections, but don't
> see anyway to force it to be required. I'll contact
> SurfControl and see
> if they know of anything like that.
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Tuesday, February 20, 2007 9:12 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Unfortunately, there's no way for me to review the SC
> settings - does it
> have any way to enforce SSL?
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Tuesday, February 20, 2007 5:44 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Well, it appears that it might be a configuration issue. I did an
> almost total rebuild yesterday; I exported the ISA settings, formatted
> the drive, reinstalled ISA and SurfControl (left RainConnect out), and
> got the same exact symptoms. I'm thinking I'm going to have
> to rewrite
> all my ISA settings from scratch now.
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Sunday, February 11, 2007 5:05 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> I did and so far, the data doesn't line up.
>
> The capture clearly indicates that ISA is the one responding with the
> "muse use SSL", but none of the configuration seems to require it.
>
> I tried your site today and I get a "302" redirect, but the
> SSL listener
> is apparently deaf.
>
> This too is a non-functional combination.
>
> I'll have to format the tracing and see what shakes out. We
> may have to
> repeat this process a time or two...
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Tuesday, February 06, 2007 11:18 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Were you able to make sense of the info I sent you?
>
>
>
> ________________________________
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Friday, February 02, 2007 11:12 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
>
> Get an ISABPAPack in repro mode and send me the results.
>
> You can get ISABPA from MS downloads.
>
> The instructions for running ISABPAPack in repro mode are part of the
> package.
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
