[isalist] Re: Publishing in ISA2006

The website you published is SSL required, so
- when you publish through HTTP connection, access is denied
- when you redirect to HTTPs by ISA, it works.
Then, you may need to check any changing at your published web server but
not ISA.



  ----- Original Message ----- 
  From: Ball, Dan 
  To: isalist@xxxxxxxxxxxxx 
  Sent: Tuesday, January 30, 2007 1:13 PM
  Subject: [isalist] Re: Publishing in ISA2006


  Here is the scenario:

  - I remove all publishing rules and web listeners, so I can start over.

  - I go through the wizard to publish a single webserver.  I take all the 
defaults, saying no SSL is required.

  - When it gets to the part about a web listener, I create a new one, taking 
the default settings and specifying no SSL or authentication is required.

  - The rule is done; I apply the changes, and test it.  I get a 403 error.

  - I edit the listener to redirect traffic to HTTPS, and it works.

   

  There must be something simple I missed.

   


------------------------------------------------------------------------------

  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
  Sent: Monday, January 29, 2007 11:48 PM
  To: isalist@xxxxxxxxxxxxx
  Subject: [isalist] Re: Publishing in ISA2006

   

  The rule works with the related listener.

  You cannot evaluate one without including the other - period.

  The listener; not the rule is what determines if HTTP/HTTPS redirection is 
possible.

  If the listener doesn't accept HTTP, then it can't redirect it to HTTPS.

  You're not trying to publish a stealth service, are you?

   

  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
  Sent: Monday, January 29, 2007 10:51 AM
  To: isalist@xxxxxxxxxxxxx
  Subject: [isalist] Re: Publishing in ISA2006

   

  Not Exchange traffic, but the main web server.  They both use the same 
listener, so it makes it difficult to modify one but not the other.  Once I got 
the webserver working, I was planning on taking Tom's suggestion that he had 
awhile back and using a redirect page to redirect OWA calls to an alternate 
port/listener.

   

  In any case, in this particular instance I'm referring to normal web traffic 
that I want in plain-text.  Correct me if I'm wrong, but I was under the 
assumption that if the publishing rule was not working "non-SSL", then both the 
"authenticated traffic" and "all traffic" options would behave the same way.  
I.e., they would both return an error if the client wasn't capable of the 
connection.  

   


------------------------------------------------------------------------------

  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
  Sent: Monday, January 29, 2007 11:57 AM
  To: isalist@xxxxxxxxxxxxx
  Subject: [isalist] Re: Publishing in ISA2006

   

  You never had ISA 2004 doing the redirects without custom code.

  It did not have this option.

   

  Let's get this straight - you want to publish plain-text Exchange web 
traffic?!?

  Also; "Redirect authenticated traffic from HTTP to HTTPS" option in the web 
listener.  This works because it redirects all web traffic to HTTPS" is 
incorrect; that setting only redirects traffic which has already been 
authenticated - probably why only some requests are working.  Change it to 
redirect "ALL" requests.

   

  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
  Sent: Monday, January 29, 2007 8:04 AM
  To: isalist@xxxxxxxxxxxxx
  Subject: [isalist] Re: Publishing in ISA2006

   

  Nope, same server, and ISA_Redirects have never been used on that server.  I 
used to publish the website without requiring SSL, now that is the only way I 
can get it to work.  In fact, I used the "connections" tab in the listener to 
force everything over to HTTPS, just to get it working.  I just can't figure 
out how to get it publish "without" SSL, as there seem to be some browsers that 
have a problem with that method.  While I'd like to tell them to fix their own 
system and get over it, that won't fly with a "public" website.  

   

  Where can I start looking for clues on this problem?

   


------------------------------------------------------------------------------

  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
  Sent: Monday, January 29, 2007 9:29 AM
  To: isalist@xxxxxxxxxxxxx
  Subject: [isalist] Re: Publishing in ISA2006

   

  That error response can only be obtained when web publishing.

  IIS response is quite different.

  You probably were using the ISA_Redirects tool or something similar and 
forgot to move it to the new server.

  The good news is that in ISA 2006, such custom mechanisms aren't required.

  In the listener "Connections" tab, you can opt to redirect anonymous or 
authenticated HTTP connections to HTTPS.

   

  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Roy Tsao
  Sent: Monday, January 29, 2007 1:18 AM
  To: isalist@xxxxxxxxxxxxx
  Subject: [isalist] Re: Publishing in ISA2006

   

  Original publishing is SSL bridge or tunneling?

    ----- Original Message ----- 

    From: Ball, Dan 

    To: isalist@xxxxxxxxxxxxx 

    Sent: Monday, January 29, 2007 10:40 AM

    Subject: [isalist] Publishing in ISA2006

     

    When I upgraded ISA2004 to ISA2006, my published webserver and Exchange 
server no longer worked.  

     

    Browsing to the website gave me this error:

    Error Code: 403 Forbidden. The page must be viewed over a secure channel 
(Secure Sockets Layer (SSL)). Contact the server administrator. (12241)

     

    Typing https:// into the URL allowed the traffic to flow.

     

    The only way I could get it to work was to enable the "Redirect 
authenticated traffic from HTTP to HTTPS" option in the web listener.  This 
works because it redirects all web traffic to HTTPS.  However, it doesn't work 
for all pages, we have a few pages that have problems, and have had reports 
from some people that cannot access the website at all.

     

    So, I need to get this working properly again.  I've deleted all of the 
publishing rules and the web listener several times, recreating everything from 
scratch; it still gives me the same error.  I've followed every tutorial I 
could find, it appears that I'm doing it correctly.  There must be some little 
detail that I'm missing with ISA2006.  Probably something obvious, but it is 
eluding me.

     

    Anyone have any ideas?

  All mail to and from this domain is GFI-scanned.

  All mail to and from this domain is GFI-scanned.

  All mail to and from this domain is GFI-scanned.

Other related posts: