[isalist] Re: Publishing in ISA2006

http://www.ISAserver.org
-------------------------------------------------------

First thing I would do is create two Web listeners -- one for SSL and
one for HTTP with SSL. Then use the SSL listener for those connections
requiring authetication and the HTTP listener for those connections not
requiring authentication.

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
> Sent: Thursday, February 22, 2007 8:03 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Okay, that makes sense, but how do you do it?  I've been going through
> tutorials and help menus for hours now trying to figure out how to get
> this working.  My scenario is a bit different than others, 
> and I haven't
> found a tutorial that seems to cover what I need.
> 
> Here's my situation:
> 
> Server 1:  Main website, we need anonymous browsing abilities for the
> general public, so we need basic, unauthenticated publishing.  To
> confuse the issue however, if an employee wants to log into 
> the website,
> they need to authenticate to the AD.
> 
> Server 2:  Combination of web-based calendar and Exchange 
> OWA.  One part
> of it is OWA which requires authentication against the AD, 
> and the other
> part of it is forms-based authentication.
> 
> So, basically, I have two websites that have the same need, they both
> have to have a portion available for anonymous browsing, and a portion
> that uses AD authentication.  Since they both use port 80 and 
> 433, they
> have to use the same listener.  This worked great on ISA2004, but I
> haven't figured out how to get it working in ISA2006 yet.  
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Thursday, February 22, 2007 4:18 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> That is to say, you should be using SSL to SSL bridging with basic
> delegation.
> 
> You don't want to use NTLM for remote access connections.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
>  
> 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
> > Sent: Thursday, February 22, 2007 2:29 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >   
> > Okay, now I'm really confused.
> > 
> > I setup the test server again and using the standard edge template
> > created a whole new setup from scratch.  If I publish a 
> webserver, it
> > works at first glance.  However, whenever I go to a page 
> that require
> > NTLM authentication I get the error message a 403 error but no login
> > box.  
> > 
> > If I change the Authentication delegation to "No delegation, 
> > but client
> > may authenticate directly", I get the original error about requiring
> > SSL.
> > 
> > If I then use the redirect to SSL in the web listener, 
> > everything works,
> > but then EVERYTHING is redirected to SSL.  (This is the way 
> > I've had our
> > site running for about two months now.)
> > 
> > This makes it a bit difficult to use, in that NTLM authentication is
> > what is required to log into Exchange (in non-FBA mode) and our
> > webserver, which supports AD integration.  This was working with
> > ISA2004, but not with ISA2006.
> > 
> > However, I'm not 100% certain it was working upon the 
> initial "clean"
> > installation of ISA2006.  Since I didn't know exactly what to 
> > look for,
> > I just got the website publishing rule setup to browse the anonymous
> > portion of our website and assumed it was working.  I'm not entirely
> > sure that using the templates (or doing a backup restore) overwrites
> > "everything" in the ISA server, so only another clean install would
> > prove that.
> > 
> > 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Ball, Dan
> > Sent: Thursday, February 22, 2007 1:55 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >   
> > It was affecting both Web and OWA publishing.  I was working
> > specifically with the web publishing rule over the last few days.
> > 
> > I spoke too soon on it being fixed though.  I was just looking at it
> > again and it appears that with that setting it will not 
> prompt a user
> > for a domain login on either our webserver or our Exchange 
> > server.  OWA
> > is now disabled, with a 403 forbidden error 12202, no login 
> > box appears.
> > 
> > As for auth settings at the FE server, we only have one ISA and one
> > Exchange, none of which are set up for requiring SSL (or any
> > authentication) right now.  Not sure exactly what settings you are
> > referring to.
> > 
> > I put the test server back on the shelf, but can fire that 
> > one up again
> > and do more testing.  If you want, I can send you a backup 
> > export which
> > you can use for testing.  I made several backups during the 
> > testing, and
> > the last one I did was a bare-bones system with one web 
> > publishing rule,
> > and no confidential or permissions settings exported.  
> > 
> > 
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx 
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Thursday, February 22, 2007 1:06 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Publishing in ISA2006
> > 
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >   
> > Was this an Exchange publishing scenario?
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx 
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > > Sent: Thursday, February 22, 2007 11:48 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Publishing in ISA2006
> > > 
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >   
> > > Ok - now I have to play with this.
> > > What auth settings did you have at the FE server?
> > > 
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx 
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Ball, Dan
> > > Sent: Thursday, February 22, 2007 9:12 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Publishing in ISA2006
> > > 
> > > Situation finally resolved, I just KNEW it had to be 
> > > something simple!  
> > > 
> > >  
> > > 
> > > It took a few days, but I finally got a test server online. 
> >  Installed
> > > ISA2006, verified it would publish the website properly, 
> > then imported
> > > the other ISA server's backup.  Had to do some minor tweaks 
> > > to adjust it
> > > for a different computer, but got it running and was able 
> > to reproduce
> > > the problem (w/o SurfControl or RainConnect).  I then spent 
> > > quite awhile
> > > purging out all the excess settings to finally get it down a 
> > > bare system
> > > with one publishing rule exhibiting the same problem.  
> > > 
> > >  
> > > 
> > > I then tried to purge that rule down to the bare minimums, and the
> > > problem disappeared!  So, I went through each setting, 
> > one-by-one, and
> > > finally found that if you set the Authentication Delegation 
> > tab to "No
> > > delegation, but client may authenticate directly", you get the SSL
> > > required response.  I changed it to "No delegation, and 
> > client cannot
> > > authenticate directly" on the live server, and everything 
> started to
> > > work again!  
> > > 
> > >  
> > > 
> > > I know for a fact that I have changed that setting numerous 
> > > times during
> > > my testing, so how I didn't stumble across this fix before is 
> > > beyond me.
> > > Both of the webservers I publish do support NTLM 
> > authentication, so by
> > > the description of that setting you'd think you'd need to 
> > have it set.
> > > This is definitely something to keep in mind for future
> > > troubleshooting...  
> > > 
> > >  
> > > 
> > > To summarize, if you see this error (and SSL is not specified as a
> > > requirement ANYWHERE):
> > > 
> > > Error Code: 403 Forbidden. The page must be viewed over a 
> > > secure channel
> > > (Secure Sockets Layer (SSL)). Contact the server 
> > > administrator. (12241)
> > > 
> > > Check your Authentication Delegation settings!
> > > 
> > >  
> > > 
> > >  
> > > 
> > > ________________________________
> > > 
> > > From: isalist-bounce@xxxxxxxxxxxxx 
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Ball, Dan
> > > Sent: Tuesday, February 20, 2007 11:16 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Publishing in ISA2006
> > > 
> > >  
> > > 
> > > Unfortunately, I ran out of time before I was able to do 
> > that.  I did
> > > attempt to test it, but "all" publishing wasn't working at 
> > that time,
> > > and I had to get SurfControl back up and operational in a 
> > really short
> > > span of time, so it wasn't completed.  I also tried to put 
> > RainConnect
> > > back on, but that gave me some serious errors and wouldn't 
> > > work at all,
> > > and with the short amount of time I had to work with I ended 
> > > up removing
> > > that and bringing the server up with only one ISP just to get it
> > > operational.
> > > 
> > >  
> > > 
> > > I just got off the phone with SurfControl, and they 
> confirmed what I
> > > suspected.  That program will "block" SSL or non-SSL, but there is
> > > nothing in the program that will "force" a connection to use 
> > > SSL, so we
> > > can "almost" rule that out.  Or, at least we can rule out a SC
> > > configuration setting as the culprit.
> > > 
> > >  
> > > 
> > > I have an aide setting up another test ISA server right 
> > now, and will
> > > test a clean install (not using the ISA backup) to see if I 
> > can narrow
> > > it down a bit more.  
> > > 
> > >  
> > > 
> > > ________________________________
> > > 
> > > From: isalist-bounce@xxxxxxxxxxxxx 
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Steve Moffat
> > > Sent: Tuesday, February 20, 2007 10:44 AM
> > > To: ISA Mailing List
> > > Subject: [isalist] Re: Publishing in ISA2006
> > > 
> > >  
> > > 
> > > Did you try it before you added in rainconnect & surfcontrol.....
> > > 
> > >  
> > > 
> > > S
> > > 
> > >  
> > > 
> > > From: isalist-bounce@xxxxxxxxxxxxx 
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Ball, Dan
> > > Sent: Tuesday, February 20, 2007 10:43 AM
> > > To: ISA Mailing List
> > > Subject: [isalist] Re: Publishing in ISA2006
> > > 
> > >  
> > > 
> > > Not that I can tell.  It can block SSL or non-SSL 
> > > connections, but don't
> > > see anyway to force it to be required.  I'll contact 
> > > SurfControl and see
> > > if they know of anything like that. 
> > > 
> > >  
> > > 
> > > ________________________________
> > > 
> > > From: isalist-bounce@xxxxxxxxxxxxx 
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Jim Harrison
> > > Sent: Tuesday, February 20, 2007 9:12 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Publishing in ISA2006
> > > 
> > >  
> > > 
> > > Unfortunately, there's no way for me to review the SC 
> > > settings - does it
> > > have any way to enforce SSL?
> > > 
> > >  
> > > 
> > > From: isalist-bounce@xxxxxxxxxxxxx 
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Ball, Dan
> > > Sent: Tuesday, February 20, 2007 5:44 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Publishing in ISA2006
> > > 
> > >  
> > > 
> > > Well, it appears that it might be a configuration issue.  I did an
> > > almost total rebuild yesterday; I exported the ISA 
> > settings, formatted
> > > the drive, reinstalled ISA and SurfControl (left 
> > RainConnect out), and
> > > got the same exact symptoms.  I'm thinking I'm going to have 
> > > to rewrite
> > > all my ISA settings from scratch now.
> > > 
> > >  
> > > 
> > > ________________________________
> > > 
> > > From: isalist-bounce@xxxxxxxxxxxxx 
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Jim Harrison
> > > Sent: Sunday, February 11, 2007 5:05 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Publishing in ISA2006
> > > 
> > >  
> > > 
> > > I did and so far, the data doesn't line up.
> > > 
> > > The capture clearly indicates that ISA is the one 
> > responding with the
> > > "muse use SSL", but none of the configuration seems to require it.
> > > 
> > > I tried your site today and I get a "302" redirect, but the 
> > > SSL listener
> > > is apparently deaf.
> > > 
> > > This too is a non-functional combination.
> > > 
> > > I'll have to format the tracing and see what shakes out.  We 
> > > may have to
> > > repeat this process a time or two...
> > > 
> > >  
> > > 
> > > From: isalist-bounce@xxxxxxxxxxxxx 
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Ball, Dan
> > > Sent: Tuesday, February 06, 2007 11:18 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Publishing in ISA2006
> > > 
> > >  
> > > 
> > > Were you able to make sense of the info I sent you?
> > > 
> > >  
> > > 
> > > ________________________________
> > > 
> > > From: isalist-bounce@xxxxxxxxxxxxx 
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Jim Harrison
> > > Sent: Friday, February 02, 2007 11:12 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Publishing in ISA2006
> > > 
> > >  
> > > 
> > > Get an ISABPAPack in repro mode and send me the results.
> > > 
> > > You can get ISABPA from MS downloads.
> > > 
> > > The instructions for running ISABPAPack in repro mode are 
> > part of the
> > > package.
> > > 
> > > 
> > > All mail to and from this domain is GFI-scanned.
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.freelists.org/archives/isalist/  
> > > ISA Server Newsletter: 
> > http://www.isaserver.org/pages/newsletter.asp 
> > > ISA Server Articles and Tutorials: 
> > > http://www.isaserver.org/articles_tutorials/ 
> > > ISA Server Blogs: http://blogs.isaserver.org/ 
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com 
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> > > Report abuse to listadmin@xxxxxxxxxxxxx 
> > > 
> > > 
> > > 
> > ------------------------------------------------------
> > List Archives: http://www.freelists.org/archives/isalist/  
> > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp 
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/ 
> > ISA Server Blogs: http://blogs.isaserver.org/ 
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com 
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> > Report abuse to listadmin@xxxxxxxxxxxxx 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.freelists.org/archives/isalist/  
> > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp 
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/ 
> > ISA Server Blogs: http://blogs.isaserver.org/ 
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com 
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> > Report abuse to listadmin@xxxxxxxxxxxxx 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.freelists.org/archives/isalist/  
> > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp 
> > ISA Server Articles and Tutorials: 
> > http://www.isaserver.org/articles_tutorials/ 
> > ISA Server Blogs: http://blogs.isaserver.org/ 
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com 
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> > Report abuse to listadmin@xxxxxxxxxxxxx 
> > 
> > 
> > 
> ------------------------------------------------------
> List Archives: http://www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> ------------------------------------------------------
> List Archives: http://www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts: