[isalist] Re: Publishing in ISA2006

http://www.ISAserver.org
-------------------------------------------------------

That is to say, you should be using SSL to SSL bridging with basic
delegation.

You don't want to use NTLM for remote access connections.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
> Sent: Thursday, February 22, 2007 2:29 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Okay, now I'm really confused.
> 
> I setup the test server again and using the standard edge template
> created a whole new setup from scratch.  If I publish a webserver, it
> works at first glance.  However, whenever I go to a page that require
> NTLM authentication I get the error message a 403 error but no login
> box.  
> 
> If I change the Authentication delegation to "No delegation, 
> but client
> may authenticate directly", I get the original error about requiring
> SSL.
> 
> If I then use the redirect to SSL in the web listener, 
> everything works,
> but then EVERYTHING is redirected to SSL.  (This is the way 
> I've had our
> site running for about two months now.)
> 
> This makes it a bit difficult to use, in that NTLM authentication is
> what is required to log into Exchange (in non-FBA mode) and our
> webserver, which supports AD integration.  This was working with
> ISA2004, but not with ISA2006.
> 
> However, I'm not 100% certain it was working upon the initial "clean"
> installation of ISA2006.  Since I didn't know exactly what to 
> look for,
> I just got the website publishing rule setup to browse the anonymous
> portion of our website and assumed it was working.  I'm not entirely
> sure that using the templates (or doing a backup restore) overwrites
> "everything" in the ISA server, so only another clean install would
> prove that.
> 
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Ball, Dan
> Sent: Thursday, February 22, 2007 1:55 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> It was affecting both Web and OWA publishing.  I was working
> specifically with the web publishing rule over the last few days.
> 
> I spoke too soon on it being fixed though.  I was just looking at it
> again and it appears that with that setting it will not prompt a user
> for a domain login on either our webserver or our Exchange 
> server.  OWA
> is now disabled, with a 403 forbidden error 12202, no login 
> box appears.
> 
> As for auth settings at the FE server, we only have one ISA and one
> Exchange, none of which are set up for requiring SSL (or any
> authentication) right now.  Not sure exactly what settings you are
> referring to.
> 
> I put the test server back on the shelf, but can fire that 
> one up again
> and do more testing.  If you want, I can send you a backup 
> export which
> you can use for testing.  I made several backups during the 
> testing, and
> the last one I did was a bare-bones system with one web 
> publishing rule,
> and no confidential or permissions settings exported.  
> 
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Thursday, February 22, 2007 1:06 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Was this an Exchange publishing scenario?
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
>  
> 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Thursday, February 22, 2007 11:48 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >   
> > Ok - now I have to play with this.
> > What auth settings did you have at the FE server?
> > 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Ball, Dan
> > Sent: Thursday, February 22, 2007 9:12 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> > Situation finally resolved, I just KNEW it had to be 
> > something simple!  
> > 
> >  
> > 
> > It took a few days, but I finally got a test server online. 
>  Installed
> > ISA2006, verified it would publish the website properly, 
> then imported
> > the other ISA server's backup.  Had to do some minor tweaks 
> > to adjust it
> > for a different computer, but got it running and was able 
> to reproduce
> > the problem (w/o SurfControl or RainConnect).  I then spent 
> > quite awhile
> > purging out all the excess settings to finally get it down a 
> > bare system
> > with one publishing rule exhibiting the same problem.  
> > 
> >  
> > 
> > I then tried to purge that rule down to the bare minimums, and the
> > problem disappeared!  So, I went through each setting, 
> one-by-one, and
> > finally found that if you set the Authentication Delegation 
> tab to "No
> > delegation, but client may authenticate directly", you get the SSL
> > required response.  I changed it to "No delegation, and 
> client cannot
> > authenticate directly" on the live server, and everything started to
> > work again!  
> > 
> >  
> > 
> > I know for a fact that I have changed that setting numerous 
> > times during
> > my testing, so how I didn't stumble across this fix before is 
> > beyond me.
> > Both of the webservers I publish do support NTLM 
> authentication, so by
> > the description of that setting you'd think you'd need to 
> have it set.
> > This is definitely something to keep in mind for future
> > troubleshooting...  
> > 
> >  
> > 
> > To summarize, if you see this error (and SSL is not specified as a
> > requirement ANYWHERE):
> > 
> > Error Code: 403 Forbidden. The page must be viewed over a 
> > secure channel
> > (Secure Sockets Layer (SSL)). Contact the server 
> > administrator. (12241)
> > 
> > Check your Authentication Delegation settings!
> > 
> >  
> > 
> >  
> > 
> > ________________________________
> > 
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Ball, Dan
> > Sent: Tuesday, February 20, 2007 11:16 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> >  
> > 
> > Unfortunately, I ran out of time before I was able to do 
> that.  I did
> > attempt to test it, but "all" publishing wasn't working at 
> that time,
> > and I had to get SurfControl back up and operational in a 
> really short
> > span of time, so it wasn't completed.  I also tried to put 
> RainConnect
> > back on, but that gave me some serious errors and wouldn't 
> > work at all,
> > and with the short amount of time I had to work with I ended 
> > up removing
> > that and bringing the server up with only one ISP just to get it
> > operational.
> > 
> >  
> > 
> > I just got off the phone with SurfControl, and they confirmed what I
> > suspected.  That program will "block" SSL or non-SSL, but there is
> > nothing in the program that will "force" a connection to use 
> > SSL, so we
> > can "almost" rule that out.  Or, at least we can rule out a SC
> > configuration setting as the culprit.
> > 
> >  
> > 
> > I have an aide setting up another test ISA server right 
> now, and will
> > test a clean install (not using the ISA backup) to see if I 
> can narrow
> > it down a bit more.  
> > 
> >  
> > 
> > ________________________________
> > 
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Steve Moffat
> > Sent: Tuesday, February 20, 2007 10:44 AM
> > To: ISA Mailing List
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> >  
> > 
> > Did you try it before you added in rainconnect & surfcontrol.....
> > 
> >  
> > 
> > S
> > 
> >  
> > 
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Ball, Dan
> > Sent: Tuesday, February 20, 2007 10:43 AM
> > To: ISA Mailing List
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> >  
> > 
> > Not that I can tell.  It can block SSL or non-SSL 
> > connections, but don't
> > see anyway to force it to be required.  I'll contact 
> > SurfControl and see
> > if they know of anything like that. 
> > 
> >  
> > 
> > ________________________________
> > 
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Tuesday, February 20, 2007 9:12 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> >  
> > 
> > Unfortunately, there's no way for me to review the SC 
> > settings - does it
> > have any way to enforce SSL?
> > 
> >  
> > 
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Ball, Dan
> > Sent: Tuesday, February 20, 2007 5:44 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> >  
> > 
> > Well, it appears that it might be a configuration issue.  I did an
> > almost total rebuild yesterday; I exported the ISA 
> settings, formatted
> > the drive, reinstalled ISA and SurfControl (left 
> RainConnect out), and
> > got the same exact symptoms.  I'm thinking I'm going to have 
> > to rewrite
> > all my ISA settings from scratch now.
> > 
> >  
> > 
> > ________________________________
> > 
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Sunday, February 11, 2007 5:05 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> >  
> > 
> > I did and so far, the data doesn't line up.
> > 
> > The capture clearly indicates that ISA is the one 
> responding with the
> > "muse use SSL", but none of the configuration seems to require it.
> > 
> > I tried your site today and I get a "302" redirect, but the 
> > SSL listener
> > is apparently deaf.
> > 
> > This too is a non-functional combination.
> > 
> > I'll have to format the tracing and see what shakes out.  We 
> > may have to
> > repeat this process a time or two...
> > 
> >  
> > 
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Ball, Dan
> > Sent: Tuesday, February 06, 2007 11:18 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> >  
> > 
> > Were you able to make sense of the info I sent you?
> > 
> >  
> > 
> > ________________________________
> > 
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Friday, February 02, 2007 11:12 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> >  
> > 
> > Get an ISABPAPack in repro mode and send me the results.
> > 
> > You can get ISABPA from MS downloads.
> > 
> > The instructions for running ISABPAPack in repro mode are 
> part of the
> > package.
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > ------------------------------------------------------
> > List Archives: http://www.freelists.org/archives/isalist/  
> > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp 
> > ISA Server Articles and Tutorials: 
> > http://www.isaserver.org/articles_tutorials/ 
> > ISA Server Blogs: http://blogs.isaserver.org/ 
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com 
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> > Report abuse to listadmin@xxxxxxxxxxxxx 
> > 
> > 
> > 
> ------------------------------------------------------
> List Archives: http://www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> ------------------------------------------------------
> List Archives: http://www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> ------------------------------------------------------
> List Archives: http://www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: