http://www.ISAserver.org ------------------------------------------------------- You can create one rule that requires authentication and one that doesn't. The difference between the rules is that the paths are going to be different. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan > Sent: Friday, February 23, 2007 8:44 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > http://www.ISAserver.org > ------------------------------------------------------- > > How can I do that if you can only have one listener per IP & > port? If I > create an SSL-Only listener that uses port 443, and one that uses both > port 80 and 443, it won't allow me to use both of them because they > overlap. I'd have to move one to an alternate IP or port to > use both. > > Also, if I create one listener for SSL, and one for HTTP, then I won't > be able to use my main website because the address is the same. It's > not a matter of being able to separate one segment of the website as > "authenticated" and one as "public" and use different rules for each. > You browse the website, then if you want to log in you click on the > login button, which prompts you for your domain info. Once that > information is validated, you go right back to the same > website only now > you have more menu items showing. > > The reason I'm asking all this is because I am seriously > wondering if it > is a configuration issue or a corrupted install of the ISA server (I > used the same CD on both installs). I spent many-many hours on this > yesterday and last night trying every possible combination I > could think > of to get this thing working (makes it much simpler with a > test server) > and have had absolutely no success. I've reset the entire ISA server > with a different template, and followed every tutorial I > could find, and > keep ending up in the same place over and over and over and > over again. > The "only" way I've found that works is to use the redirect to SSL > option in the web listener. Then, the anonymous browsing and > authentication work, but some things (webcams, embedded video) don't > work anymore (secure & non-secure items error). > > Or, do you think this is more of an issue for PSS? > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Friday, February 23, 2007 8:27 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: Publishing in ISA2006 > > http://www.ISAserver.org > ------------------------------------------------------- > > First thing I would do is create two Web listeners -- one for SSL and > one for HTTP with SSL. Then use the SSL listener for those connections > requiring authetication and the HTTP listener for those > connections not > requiring authentication. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan > > Sent: Thursday, February 22, 2007 8:03 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Publishing in ISA2006 > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > Okay, that makes sense, but how do you do it? I've been > going through > > tutorials and help menus for hours now trying to figure out > how to get > > this working. My scenario is a bit different than others, > > and I haven't > > found a tutorial that seems to cover what I need. > > > > Here's my situation: > > > > Server 1: Main website, we need anonymous browsing > abilities for the > > general public, so we need basic, unauthenticated publishing. To > > confuse the issue however, if an employee wants to log into > > the website, > > they need to authenticate to the AD. > > > > Server 2: Combination of web-based calendar and Exchange > > OWA. One part > > of it is OWA which requires authentication against the AD, > > and the other > > part of it is forms-based authentication. > > > > So, basically, I have two websites that have the same need, > they both > > have to have a portion available for anonymous browsing, > and a portion > > that uses AD authentication. Since they both use port 80 and > > 433, they > > have to use the same listener. This worked great on ISA2004, but I > > haven't figured out how to get it working in ISA2006 yet. > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thomas W Shinder > > Sent: Thursday, February 22, 2007 4:18 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: Publishing in ISA2006 > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > That is to say, you should be using SSL to SSL bridging with basic > > delegation. > > > > You don't want to use NTLM for remote access connections. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > -----Original Message----- > > > From: isalist-bounce@xxxxxxxxxxxxx > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan > > > Sent: Thursday, February 22, 2007 2:29 PM > > > To: isalist@xxxxxxxxxxxxx > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > http://www.ISAserver.org > > > ------------------------------------------------------- > > > > > > Okay, now I'm really confused. > > > > > > I setup the test server again and using the standard edge template > > > created a whole new setup from scratch. If I publish a > > webserver, it > > > works at first glance. However, whenever I go to a page > > that require > > > NTLM authentication I get the error message a 403 error > but no login > > > box. > > > > > > If I change the Authentication delegation to "No delegation, > > > but client > > > may authenticate directly", I get the original error > about requiring > > > SSL. > > > > > > If I then use the redirect to SSL in the web listener, > > > everything works, > > > but then EVERYTHING is redirected to SSL. (This is the way > > > I've had our > > > site running for about two months now.) > > > > > > This makes it a bit difficult to use, in that NTLM > authentication is > > > what is required to log into Exchange (in non-FBA mode) and our > > > webserver, which supports AD integration. This was working with > > > ISA2004, but not with ISA2006. > > > > > > However, I'm not 100% certain it was working upon the > > initial "clean" > > > installation of ISA2006. Since I didn't know exactly what to > > > look for, > > > I just got the website publishing rule setup to browse > the anonymous > > > portion of our website and assumed it was working. I'm > not entirely > > > sure that using the templates (or doing a backup restore) > overwrites > > > "everything" in the ISA server, so only another clean > install would > > > prove that. > > > > > > > > > -----Original Message----- > > > From: isalist-bounce@xxxxxxxxxxxxx > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > On Behalf Of Ball, Dan > > > Sent: Thursday, February 22, 2007 1:55 PM > > > To: isalist@xxxxxxxxxxxxx > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > http://www.ISAserver.org > > > ------------------------------------------------------- > > > > > > It was affecting both Web and OWA publishing. I was working > > > specifically with the web publishing rule over the last few days. > > > > > > I spoke too soon on it being fixed though. I was just > looking at it > > > again and it appears that with that setting it will not > > prompt a user > > > for a domain login on either our webserver or our Exchange > > > server. OWA > > > is now disabled, with a 403 forbidden error 12202, no login > > > box appears. > > > > > > As for auth settings at the FE server, we only have one > ISA and one > > > Exchange, none of which are set up for requiring SSL (or any > > > authentication) right now. Not sure exactly what settings you are > > > referring to. > > > > > > I put the test server back on the shelf, but can fire that > > > one up again > > > and do more testing. If you want, I can send you a backup > > > export which > > > you can use for testing. I made several backups during the > > > testing, and > > > the last one I did was a bare-bones system with one web > > > publishing rule, > > > and no confidential or permissions settings exported. > > > > > > > > > -----Original Message----- > > > From: isalist-bounce@xxxxxxxxxxxxx > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > On Behalf Of Thomas W Shinder > > > Sent: Thursday, February 22, 2007 1:06 PM > > > To: isalist@xxxxxxxxxxxxx > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > http://www.ISAserver.org > > > ------------------------------------------------------- > > > > > > Was this an Exchange publishing scenario? > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://blogs.isaserver.org/shinder/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- Microsoft Firewalls (ISA) > > > > > > > > > > > > > -----Original Message----- > > > > From: isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > > > Sent: Thursday, February 22, 2007 11:48 AM > > > > To: isalist@xxxxxxxxxxxxx > > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > http://www.ISAserver.org > > > > ------------------------------------------------------- > > > > > > > > Ok - now I have to play with this. > > > > What auth settings did you have at the FE server? > > > > > > > > -----Original Message----- > > > > From: isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Ball, Dan > > > > Sent: Thursday, February 22, 2007 9:12 AM > > > > To: isalist@xxxxxxxxxxxxx > > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > Situation finally resolved, I just KNEW it had to be > > > > something simple! > > > > > > > > > > > > > > > > It took a few days, but I finally got a test server online. > > > Installed > > > > ISA2006, verified it would publish the website properly, > > > then imported > > > > the other ISA server's backup. Had to do some minor tweaks > > > > to adjust it > > > > for a different computer, but got it running and was able > > > to reproduce > > > > the problem (w/o SurfControl or RainConnect). I then spent > > > > quite awhile > > > > purging out all the excess settings to finally get it down a > > > > bare system > > > > with one publishing rule exhibiting the same problem. > > > > > > > > > > > > > > > > I then tried to purge that rule down to the bare > minimums, and the > > > > problem disappeared! So, I went through each setting, > > > one-by-one, and > > > > finally found that if you set the Authentication Delegation > > > tab to "No > > > > delegation, but client may authenticate directly", you > get the SSL > > > > required response. I changed it to "No delegation, and > > > client cannot > > > > authenticate directly" on the live server, and everything > > started to > > > > work again! > > > > > > > > > > > > > > > > I know for a fact that I have changed that setting numerous > > > > times during > > > > my testing, so how I didn't stumble across this fix before is > > > > beyond me. > > > > Both of the webservers I publish do support NTLM > > > authentication, so by > > > > the description of that setting you'd think you'd need to > > > have it set. > > > > This is definitely something to keep in mind for future > > > > troubleshooting... > > > > > > > > > > > > > > > > To summarize, if you see this error (and SSL is not > specified as a > > > > requirement ANYWHERE): > > > > > > > > Error Code: 403 Forbidden. The page must be viewed over a > > > > secure channel > > > > (Secure Sockets Layer (SSL)). Contact the server > > > > administrator. (12241) > > > > > > > > Check your Authentication Delegation settings! > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Ball, Dan > > > > Sent: Tuesday, February 20, 2007 11:16 AM > > > > To: isalist@xxxxxxxxxxxxx > > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > > > > > > > > > Unfortunately, I ran out of time before I was able to do > > > that. I did > > > > attempt to test it, but "all" publishing wasn't working at > > > that time, > > > > and I had to get SurfControl back up and operational in a > > > really short > > > > span of time, so it wasn't completed. I also tried to put > > > RainConnect > > > > back on, but that gave me some serious errors and wouldn't > > > > work at all, > > > > and with the short amount of time I had to work with I ended > > > > up removing > > > > that and bringing the server up with only one ISP just to get it > > > > operational. > > > > > > > > > > > > > > > > I just got off the phone with SurfControl, and they > > confirmed what I > > > > suspected. That program will "block" SSL or non-SSL, > but there is > > > > nothing in the program that will "force" a connection to use > > > > SSL, so we > > > > can "almost" rule that out. Or, at least we can rule out a SC > > > > configuration setting as the culprit. > > > > > > > > > > > > > > > > I have an aide setting up another test ISA server right > > > now, and will > > > > test a clean install (not using the ISA backup) to see if I > > > can narrow > > > > it down a bit more. > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Steve Moffat > > > > Sent: Tuesday, February 20, 2007 10:44 AM > > > > To: ISA Mailing List > > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > > > > > > > > > Did you try it before you added in rainconnect & > surfcontrol..... > > > > > > > > > > > > > > > > S > > > > > > > > > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Ball, Dan > > > > Sent: Tuesday, February 20, 2007 10:43 AM > > > > To: ISA Mailing List > > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > > > > > > > > > Not that I can tell. It can block SSL or non-SSL > > > > connections, but don't > > > > see anyway to force it to be required. I'll contact > > > > SurfControl and see > > > > if they know of anything like that. > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Jim Harrison > > > > Sent: Tuesday, February 20, 2007 9:12 AM > > > > To: isalist@xxxxxxxxxxxxx > > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > > > > > > > > > Unfortunately, there's no way for me to review the SC > > > > settings - does it > > > > have any way to enforce SSL? > > > > > > > > > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Ball, Dan > > > > Sent: Tuesday, February 20, 2007 5:44 AM > > > > To: isalist@xxxxxxxxxxxxx > > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > > > > > > > > > Well, it appears that it might be a configuration > issue. I did an > > > > almost total rebuild yesterday; I exported the ISA > > > settings, formatted > > > > the drive, reinstalled ISA and SurfControl (left > > > RainConnect out), and > > > > got the same exact symptoms. I'm thinking I'm going to have > > > > to rewrite > > > > all my ISA settings from scratch now. > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Jim Harrison > > > > Sent: Sunday, February 11, 2007 5:05 PM > > > > To: isalist@xxxxxxxxxxxxx > > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > > > > > > > > > I did and so far, the data doesn't line up. > > > > > > > > The capture clearly indicates that ISA is the one > > > responding with the > > > > "muse use SSL", but none of the configuration seems to > require it. > > > > > > > > I tried your site today and I get a "302" redirect, but the > > > > SSL listener > > > > is apparently deaf. > > > > > > > > This too is a non-functional combination. > > > > > > > > I'll have to format the tracing and see what shakes out. We > > > > may have to > > > > repeat this process a time or two... > > > > > > > > > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Ball, Dan > > > > Sent: Tuesday, February 06, 2007 11:18 AM > > > > To: isalist@xxxxxxxxxxxxx > > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > > > > > > > > > Were you able to make sense of the info I sent you? > > > > > > > > > > > > > > > > ________________________________ > > > > > > > > From: isalist-bounce@xxxxxxxxxxxxx > > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > > On Behalf Of Jim Harrison > > > > Sent: Friday, February 02, 2007 11:12 AM > > > > To: isalist@xxxxxxxxxxxxx > > > > Subject: [isalist] Re: Publishing in ISA2006 > > > > > > > > > > > > > > > > Get an ISABPAPack in repro mode and send me the results. > > > > > > > > You can get ISABPA from MS downloads. > > > > > > > > The instructions for running ISABPAPack in repro mode are > > > part of the > > > > package. > > > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > > > > > > > ------------------------------------------------------ > > > > List Archives: //www.freelists.org/archives/isalist/ > > > > ISA Server Newsletter: > > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server Articles and Tutorials: > > > > http://www.isaserver.org/articles_tutorials/ > > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > > ------------------------------------------------------ > > > > Visit TechGenix.com for more information about our other sites: > > > > http://www.techgenix.com > > > > ------------------------------------------------------ > > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: //www.freelists.org/archives/isalist/ > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server Articles and Tutorials: > > > http://www.isaserver.org/articles_tutorials/ > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > > List Archives: //www.freelists.org/archives/isalist/ > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server Articles and Tutorials: > > > http://www.isaserver.org/articles_tutorials/ > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > > List Archives: //www.freelists.org/archives/isalist/ > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server Articles and Tutorials: > > > http://www.isaserver.org/articles_tutorials/ > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx