http://www.ISAserver.org ------------------------------------------------------- Not a trap, but an inducement for you to educate :) Maybe the next version of the ISA Firewall will have outbound SSL to SSL bridging? Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > Sent: Tuesday, May 22, 2007 10:27 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt > > http://www.ISAserver.org > ------------------------------------------------------- > > Ha! > You fell face-first into my trap. :-p > > ClearTunnel terminates the SSL session between the client & ISA using > its own cert-spoofing mechanism, then creates a completely > separate SSL > session between ISA and the upstream server - even for FWC > and SecureNET > clients (if you opt for it). > > This is known as "bridging". > > So there; thpthpthpthp... > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx > [mailto:isalist-bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Tuesday, May 22, 2007 7:08 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt > > http://www.ISAserver.org > ------------------------------------------------------- > > ClearTunnel :) > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > > Sent: Tuesday, May 22, 2007 8:58 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > There can be no caching of SSL Tunneled traffic; ISA can't > see it, so > > ISA can't cache it. Never let anyone tell you otherwise. > > Regarding the errors, if you get a network capture while > making these > > tests, you can prove conclusively which entity (site or ISA) is > > delivering the content. > > > > NetMon 3 can capture multiple interfaces simultaneously. > > > > Get a capture and we'll see what we see... > > > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of Amy Babinchak > > Sent: Tuesday, May 22, 2007 5:07 AM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > Dave, > > > > The message you are describing is coming from the site > > itself, not from > > ISA. ISA can't display a page that Acer doesn't ask it to. You > > definitely have it cached someplace. > > > > Amy > > > > -----Original Message----- > > From: isalist-bounce@xxxxxxxxxxxxx > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > On Behalf Of David Freeman > > Sent: Monday, May 21, 2007 9:33 PM > > To: isalist@xxxxxxxxxxxxx > > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt > > > > http://www.ISAserver.org > > ------------------------------------------------------- > > > > More information needed... > > > > I click the "ShopAcer" link and get a new browser with the > following: > > > > The Site is currently down. Please try again soon. Acer SYSOP. > > > > When I go to https://www.apec.acer.com.au/ and log in using > my normal > > u/p etc I get the following: > > > > The Site is currently down. Please try again soon. Acer SYSOP. > > > > When I go to http://www.service.acer.com.au/aarc and log in using my > > normal u/p etc I get the following: > > > > The Site is currently down. Please try again soon. Acer SYSOP. > > > > At the same time, I can go to > > https://toolbox.iinet.net.au/cgi-bin/volumegraphs.cgi and > log in using > > my normal u/p and it works. > > > > I can also access Internet banking sites and other sites that > > use login > > credentials. > > > > I have rebooted the server and it made no difference. > > > > My network is like this: > > > > - Internet via ADSL to a LinkSYS router (NAT router) > > - an 'external' network that I use to plug in computers > I'm repairing > > in my workshop > > - ISA/SBS with SBS having dual NIC's into an 'internal' > network where > > my business workstations live > > > > If I plug a PC into the 'external' network the above things work > > normally. > > > > I've tried talking to the folks at Acer and they claim there's no > > problems at their end. Given that I also have no problems > > when outside > > ISA I tend to accept this. > > > > Access to Acer's various sites is pretty much > business-critical so I'm > > really getting hassled by staff here. I really don't want to move > > workstations on to the 'external' network so I'm trying to > understand > > what is going on. > > > > I ran a query in ISA while running the above tests and aside > > from seeing > > SSL-tunnel failing to connect I didn't see any denied connections or > > errors showing. My filter was basically for a log record type of > > firewall or web proxy filter with a client IP of the workstation I'm > > doing the testing on. I've tested using both IE (v6) and > > Firefox. I'm > > satisfied that the workstation I'm testing on is working > normally but > > have also tested with similar results on two other workstations. > > > > Hope that offers a little more information... > > > > David > > > > > > > -----Original Message----- > > > From: isalist-bounce@xxxxxxxxxxxxx > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak > > > Sent: Tuesday, 22 May 2007 10:58 AM > > > To: isalist@xxxxxxxxxxxxx > > > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt > > > > > > http://www.ISAserver.org > > > ------------------------------------------------------- > > > > > > What happens when you click Shop Acer? For me a new window > > > is launched > > > and it's http, not https. Given this I would be looking > > > first at browser > > > settings. > > > > > > Amy > > > > > > -----Original Message----- > > > From: isalist-bounce@xxxxxxxxxxxxx > > > [mailto:isalist-bounce@xxxxxxxxxxxxx] > > > On Behalf Of David Freeman > > > Sent: Monday, May 21, 2007 8:32 PM > > > To: isalist@xxxxxxxxxxxxx > > > Subject: [isalist] SSL-tunnel - Failed Connection Attempt > > > > > > http://www.ISAserver.org > > > ------------------------------------------------------- > > > > > > Hi All > > > > > > I'm running ISA 2004 on an SBS 2003 (not R2) box. > > > > > > There haven't been any changes to the server for the > past 30 days. > > > > > > In the past two weeks, a web site that we use stopped > > working (their > > > end, was offline then came back online). Since they came > > back online > > > we've been unable to access the site. > > > > > > I set up a workstation outside my ISA protected network and > > > tested - the > > > site will load normally. It does not load inside the > ISA protected > > > network. > > > > > > I set up a filter for one of my workstations and attempted > > > to connect to > > > the site. The only failure I'm seeing is for a port 443 > > > connection. It > > > identifies the protocol as SSL-tunnel and has an action > of "Failed > > > Connection Attempt". ISA identifies the rule as "SBS > > Internet Access > > > Rule". > > > > > > My current "SBS Internet Access Rule" is set to allow HTTP > > and HTTPS > > > from all protected networks to external networks for SBS > > > internet users. > > > > > > There are no problems accessing other sites using HTTPS > (including > > > internet banking sites) from ISA protected workstations, > only this > > > particular site. > > > > > > Just been checking with other staff here - the exact same > > > error can be > > > seen by going to http://www.acer.com.au/ and selecting the > > "ShopAcer" > > > link on the left hand side (actual site I'd noted the > > problem with is > > > Acer's wholesale e-commerce site). > > > > > > Any assistance or ideas on how to proceed very much appreciated. > > > > > > Aside from adding a couple of rules for Citrix my ISA 2004 > > is running > > > pretty much vanilla default rules set up as part of the > > SBS install. > > > > > > David > > > ------------------------------------------------------ > > > List Archives: //www.freelists.org/archives/isalist/ > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server Articles and Tutorials: > > > http://www.isaserver.org/articles_tutorials/ > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > -- > > > ExchangeDefender Message Security: Click below to verify > > authenticity > > > http://www.exchangedefender.com/verify.asp?id=l4M0oh1g001079&; > > > from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > > > List Archives: //www.freelists.org/archives/isalist/ > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server Articles and Tutorials: > > > http://www.isaserver.org/articles_tutorials/ > > > ISA Server Blogs: http://blogs.isaserver.org/ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > -- > > ExchangeDefender Message Security: Click below to verify > authenticity > > http://www.exchangedefender.com/verify.asp?id=l4MBxKhe007624&f > > rom=amy@ha > > rborcomputerservices.net > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > All mail to and from this domain is GFI-scanned. > > > > ------------------------------------------------------ > > List Archives: //www.freelists.org/archives/isalist/ > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > ISA Server Articles and Tutorials: > > http://www.isaserver.org/articles_tutorials/ > > ISA Server Blogs: http://blogs.isaserver.org/ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > All mail to and from this domain is GFI-scanned. > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx