[isalist] Re: SSL-tunnel - Failed Connection Attempt
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 22 May 2007 10:35:40 -0500
http://www.ISAserver.org
-------------------------------------------------------
Not a trap, but an inducement for you to educate :)
Maybe the next version of the ISA Firewall will have outbound SSL to SSL
bridging?
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Tuesday, May 22, 2007 10:27 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Ha!
> You fell face-first into my trap. :-p
>
> ClearTunnel terminates the SSL session between the client & ISA using
> its own cert-spoofing mechanism, then creates a completely
> separate SSL
> session between ISA and the upstream server - even for FWC
> and SecureNET
> clients (if you opt for it).
>
> This is known as "bridging".
>
> So there; thpthpthpthp...
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Tuesday, May 22, 2007 7:08 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> ClearTunnel :)
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Tuesday, May 22, 2007 8:58 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > There can be no caching of SSL Tunneled traffic; ISA can't
> see it, so
> > ISA can't cache it. Never let anyone tell you otherwise.
> > Regarding the errors, if you get a network capture while
> making these
> > tests, you can prove conclusively which entity (site or ISA) is
> > delivering the content.
> >
> > NetMon 3 can capture multiple interfaces simultaneously.
> >
> > Get a capture and we'll see what we see...
> >
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Amy Babinchak
> > Sent: Tuesday, May 22, 2007 5:07 AM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > Dave,
> >
> > The message you are describing is coming from the site
> > itself, not from
> > ISA. ISA can't display a page that Acer doesn't ask it to. You
> > definitely have it cached someplace.
> >
> > Amy
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of David Freeman
> > Sent: Monday, May 21, 2007 9:33 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > More information needed...
> >
> > I click the "ShopAcer" link and get a new browser with the
> following:
> >
> > The Site is currently down. Please try again soon. Acer SYSOP.
> >
> > When I go to https://www.apec.acer.com.au/ and log in using
> my normal
> > u/p etc I get the following:
> >
> > The Site is currently down. Please try again soon. Acer SYSOP.
> >
> > When I go to http://www.service.acer.com.au/aarc and log in using my
> > normal u/p etc I get the following:
> >
> > The Site is currently down. Please try again soon. Acer SYSOP.
> >
> > At the same time, I can go to
> > https://toolbox.iinet.net.au/cgi-bin/volumegraphs.cgi and
> log in using
> > my normal u/p and it works.
> >
> > I can also access Internet banking sites and other sites that
> > use login
> > credentials.
> >
> > I have rebooted the server and it made no difference.
> >
> > My network is like this:
> >
> > - Internet via ADSL to a LinkSYS router (NAT router)
> > - an 'external' network that I use to plug in computers
> I'm repairing
> > in my workshop
> > - ISA/SBS with SBS having dual NIC's into an 'internal'
> network where
> > my business workstations live
> >
> > If I plug a PC into the 'external' network the above things work
> > normally.
> >
> > I've tried talking to the folks at Acer and they claim there's no
> > problems at their end. Given that I also have no problems
> > when outside
> > ISA I tend to accept this.
> >
> > Access to Acer's various sites is pretty much
> business-critical so I'm
> > really getting hassled by staff here. I really don't want to move
> > workstations on to the 'external' network so I'm trying to
> understand
> > what is going on.
> >
> > I ran a query in ISA while running the above tests and aside
> > from seeing
> > SSL-tunnel failing to connect I didn't see any denied connections or
> > errors showing. My filter was basically for a log record type of
> > firewall or web proxy filter with a client IP of the workstation I'm
> > doing the testing on. I've tested using both IE (v6) and
> > Firefox. I'm
> > satisfied that the workstation I'm testing on is working
> normally but
> > have also tested with similar results on two other workstations.
> >
> > Hope that offers a little more information...
> >
> > David
> >
> >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > > Sent: Tuesday, 22 May 2007 10:58 AM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: SSL-tunnel - Failed Connection Attempt
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > What happens when you click Shop Acer? For me a new window
> > > is launched
> > > and it's http, not https. Given this I would be looking
> > > first at browser
> > > settings.
> > >
> > > Amy
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of David Freeman
> > > Sent: Monday, May 21, 2007 8:32 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] SSL-tunnel - Failed Connection Attempt
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > Hi All
> > >
> > > I'm running ISA 2004 on an SBS 2003 (not R2) box.
> > >
> > > There haven't been any changes to the server for the
> past 30 days.
> > >
> > > In the past two weeks, a web site that we use stopped
> > working (their
> > > end, was offline then came back online). Since they came
> > back online
> > > we've been unable to access the site.
> > >
> > > I set up a workstation outside my ISA protected network and
> > > tested - the
> > > site will load normally. It does not load inside the
> ISA protected
> > > network.
> > >
> > > I set up a filter for one of my workstations and attempted
> > > to connect to
> > > the site. The only failure I'm seeing is for a port 443
> > > connection. It
> > > identifies the protocol as SSL-tunnel and has an action
> of "Failed
> > > Connection Attempt". ISA identifies the rule as "SBS
> > Internet Access
> > > Rule".
> > >
> > > My current "SBS Internet Access Rule" is set to allow HTTP
> > and HTTPS
> > > from all protected networks to external networks for SBS
> > > internet users.
> > >
> > > There are no problems accessing other sites using HTTPS
> (including
> > > internet banking sites) from ISA protected workstations,
> only this
> > > particular site.
> > >
> > > Just been checking with other staff here - the exact same
> > > error can be
> > > seen by going to http://www.acer.com.au/ and selecting the
> > "ShopAcer"
> > > link on the left hand side (actual site I'd noted the
> > problem with is
> > > Acer's wholesale e-commerce site).
> > >
> > > Any assistance or ideas on how to proceed very much appreciated.
> > >
> > > Aside from adding a couple of rules for Citrix my ISA 2004
> > is running
> > > pretty much vanilla default rules set up as part of the
> > SBS install.
> > >
> > > David
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > > --
> > > ExchangeDefender Message Security: Click below to verify
> > authenticity
> > > http://www.exchangedefender.com/verify.asp?id=l4M0oh1g001079&;
> > > from=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > --
> > ExchangeDefender Message Security: Click below to verify
> authenticity
> > http://www.exchangedefender.com/verify.asp?id=l4MBxKhe007624&f
> > rom=amy@ha
> > rborcomputerservices.net
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
