[isalist] Re: SSL-tunnel - Failed Connection Attempt

http://www.ISAserver.org
-------------------------------------------------------
  
Ha!
You fell face-first into my trap. :-p

ClearTunnel terminates the SSL session between the client & ISA using
its own cert-spoofing mechanism, then creates a completely separate SSL
session between ISA and the upstream server - even for FWC and SecureNET
clients (if you opt for it).

This is known as "bridging".

So there; thpthpthpthp...

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Tuesday, May 22, 2007 7:08 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt

http://www.ISAserver.org
-------------------------------------------------------
  
ClearTunnel :)

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Tuesday, May 22, 2007 8:58 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> There can be no caching of SSL Tunneled traffic; ISA can't see it, so
> ISA can't cache it.  Never let anyone tell you otherwise.
> Regarding the errors, if you get a network capture while making these
> tests, you can prove conclusively which entity (site or ISA) is
> delivering the content.
> 
> NetMon 3 can capture multiple interfaces simultaneously.
> 
> Get a capture and we'll see what we see...
> 
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Amy Babinchak
> Sent: Tuesday, May 22, 2007 5:07 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Dave,
> 
> The message you are describing is coming from the site 
> itself, not from
> ISA. ISA can't display a page that Acer doesn't ask it to. You
> definitely have it cached someplace.
> 
> Amy
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of David Freeman
> Sent: Monday, May 21, 2007 9:33 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> More information needed...
> 
> I click the "ShopAcer" link and get a new browser with the following:
> 
> The Site is currently down. Please try again soon. Acer SYSOP. 
> 
> When I go to https://www.apec.acer.com.au/ and log in using my normal
> u/p etc I get the following:
> 
> The Site is currently down. Please try again soon. Acer SYSOP. 
> 
> When I go to http://www.service.acer.com.au/aarc and log in using my
> normal u/p etc I get the following:
> 
> The Site is currently down. Please try again soon. Acer SYSOP. 
> 
> At the same time, I can go to
> https://toolbox.iinet.net.au/cgi-bin/volumegraphs.cgi and log in using
> my normal u/p and it works.
> 
> I can also access Internet banking sites and other sites that 
> use login
> credentials.
> 
> I have rebooted the server and it made no difference.
> 
> My network is like this:
> 
>  - Internet via ADSL to a LinkSYS router (NAT router)
>  - an 'external' network that I use to plug in computers I'm repairing
> in my workshop
>  - ISA/SBS with SBS having dual NIC's into an 'internal' network where
> my business workstations live
> 
> If I plug a PC into the 'external' network the above things work
> normally.
> 
> I've tried talking to the folks at Acer and they claim there's no
> problems at their end.  Given that I also have no problems 
> when outside
> ISA I tend to accept this.
> 
> Access to Acer's various sites is pretty much business-critical so I'm
> really getting hassled by staff here.  I really don't want to move
> workstations on to the 'external' network so I'm trying to understand
> what is going on.
> 
> I ran a query in ISA while running the above tests and aside 
> from seeing
> SSL-tunnel failing to connect I didn't see any denied connections or
> errors showing.  My filter was basically for a log record type of
> firewall or web proxy filter with a client IP of the workstation I'm
> doing the testing on.  I've tested using both IE (v6) and 
> Firefox.  I'm
> satisfied that the workstation I'm testing on is working normally but
> have also tested with similar results on two other workstations.
> 
> Hope that offers a little more information...
> 
> David
>  
> 
>  > -----Original Message-----
>  > From: isalist-bounce@xxxxxxxxxxxxx 
>  > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
>  > Sent: Tuesday, 22 May 2007 10:58 AM
>  > To: isalist@xxxxxxxxxxxxx
>  > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
>  > 
>  > http://www.ISAserver.org
>  > -------------------------------------------------------
>  >   
>  > What happens when you click Shop Acer? For me a new window 
>  > is launched
>  > and it's http, not https. Given this I would be looking 
>  > first at browser
>  > settings.
>  > 
>  > Amy
>  > 
>  > -----Original Message-----
>  > From: isalist-bounce@xxxxxxxxxxxxx 
>  > [mailto:isalist-bounce@xxxxxxxxxxxxx]
>  > On Behalf Of David Freeman
>  > Sent: Monday, May 21, 2007 8:32 PM
>  > To: isalist@xxxxxxxxxxxxx
>  > Subject: [isalist] SSL-tunnel - Failed Connection Attempt
>  > 
>  > http://www.ISAserver.org
>  > -------------------------------------------------------
>  >   
>  > Hi All
>  > 
>  > I'm running ISA 2004 on an SBS 2003 (not R2) box.
>  > 
>  > There haven't been any changes to the server for the past 30 days.
>  > 
>  > In the past two weeks, a web site that we use stopped 
> working (their
>  > end, was offline then came back online).  Since they came 
> back online
>  > we've been unable to access the site.
>  > 
>  > I set up a workstation outside my ISA protected network and 
>  > tested - the
>  > site will load normally.  It does not load inside the ISA protected
>  > network.
>  > 
>  > I set up a filter for one of my workstations and attempted 
>  > to connect to
>  > the site.  The only failure I'm seeing is for a port 443 
>  > connection.  It
>  > identifies the protocol as SSL-tunnel and has an action of "Failed
>  > Connection Attempt".  ISA identifies the rule as "SBS 
> Internet Access
>  > Rule".
>  > 
>  > My current "SBS Internet Access Rule" is set to allow HTTP 
> and HTTPS
>  > from all protected networks to external networks for SBS 
>  > internet users.
>  > 
>  > There are no problems accessing other sites using HTTPS (including
>  > internet banking sites) from ISA protected workstations, only this
>  > particular site.
>  > 
>  > Just been checking with other staff here - the exact same 
>  > error can be
>  > seen by going to http://www.acer.com.au/ and selecting the 
> "ShopAcer"
>  > link on the left hand side (actual site I'd noted the 
> problem with is
>  > Acer's wholesale e-commerce site).
>  > 
>  > Any assistance or ideas on how to proceed very much appreciated.
>  > 
>  > Aside from adding a couple of rules for Citrix my ISA 2004 
> is running
>  > pretty much vanilla default rules set up as part of the 
> SBS install.
>  > 
>  > David
>  > ------------------------------------------------------
>  > List Archives: http://www.freelists.org/archives/isalist/  
>  > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp 
>  > ISA Server Articles and Tutorials:
>  > http://www.isaserver.org/articles_tutorials/ 
>  > ISA Server Blogs: http://blogs.isaserver.org/ 
>  > ------------------------------------------------------
>  > Visit TechGenix.com for more information about our other sites:
>  > http://www.techgenix.com 
>  > ------------------------------------------------------
>  > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
>  > Report abuse to listadmin@xxxxxxxxxxxxx 
>  > 
>  > 
>  > --
>  > ExchangeDefender Message Security: Click below to verify 
> authenticity
>  > http://www.exchangedefender.com/verify.asp?id=l4M0oh1g001079&;
>  > from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
>  > 
>  > ------------------------------------------------------
>  > List Archives: http://www.freelists.org/archives/isalist/  
>  > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp 
>  > ISA Server Articles and Tutorials: 
>  > http://www.isaserver.org/articles_tutorials/ 
>  > ISA Server Blogs: http://blogs.isaserver.org/ 
>  > ------------------------------------------------------
>  > Visit TechGenix.com for more information about our other sites:
>  > http://www.techgenix.com 
>  > ------------------------------------------------------
>  > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
>  > Report abuse to listadmin@xxxxxxxxxxxxx 
>  > 
>  > 
> ------------------------------------------------------
> List Archives: http://www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> --
> ExchangeDefender Message Security: Click below to verify authenticity
> http://www.exchangedefender.com/verify.asp?id=l4MBxKhe007624&f
> rom=amy@ha
> rborcomputerservices.net
> 
> ------------------------------------------------------
> List Archives: http://www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> ------------------------------------------------------
> List Archives: http://www.freelists.org/archives/isalist/  
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/ 
> ISA Server Blogs: http://blogs.isaserver.org/ 
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com 
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> 
> 
------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


All mail to and from this domain is GFI-scanned.

------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts: