Re: https is not working

  • From: "Steve Bostedor" <Steveb@xxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 14 May 2002 19:44:11 -0400

Ok, I'm still working on the same problem.  I've created a protocol rule to 
allow complete access to all protocols and made it apply to a destination set 
that included every computer in the plant.  I, then, made a s/c rule to allow 
all content for the same group of computers.  Then, I created another s/c rule 
that denied access to .exe files.  See, the real goal here is to make an "allow 
all except what I deny" type of outbound rule set.  I'm trying to understand 
the order of which the allow/deny rules are applied.  Keep in mind that all 
computers have the firewall client installed and I have auto-detect set up 
using wpad.  I also own "The Book" and I am thumbing through it as I am waiting 
for replies.

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, May 14, 2002 4:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: https is not working


http://www.ISAserver.org


..luck-o-the-draw...

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Steve Bostedor" <Steveb@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, May 14, 2002 1:16 PM
Subject: [isalist] Re: https is not working


http://www.ISAserver.org


Wow, that was a fast response!

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, May 14, 2002 4:07 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: https is not working


http://www.ISAserver.org


SSL connections can't be content-limited because it's impossible for ISA to
determine what's being passed between the client and server.
Once the connection is made between them, it's encrypted and thus invisible
to ISA.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
Read the books!
----- Original Message -----
From: "Steve Bostedor" <Steveb@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, May 14, 2002 1:03 PM
Subject: [isalist] https is not working


http://www.ISAserver.org


This is weird.  For the longest time, this company has been using the ISA
server as a basic SNAT router.  It had full outside access to their entire
plant.  I am attempting to move everything to a per user basis.  I have
given GroupA access to all protocols at the firewall layer (for testing).  I
set up an application filter to allow only HTTP, HTTPS, Images, and text.
Regular web pages work just fine.  The moment that someone visits a HTTPS
site, though, the ISA server prompts them for authentication.
For the sake of troubleshooting, I selected the radio button that told the
application filter to allow all content groups.  After trying again on the
client computer, they where able to access the HTTPS site.  Curiously, I
went back to the ISA server and selected every individual content group (all
of the canned ones), then went back and tried again.  This time it failed.
If the radio button to allow all content groups works, but individually
selecting all of the content groups does not, what can be the missing piece
needed to allow SSL communication?  These SSL sites are just every day ones
like hotmail and con-way.com.  Does anyone have a clue?

Thanks!
Steve Bostedor


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
junk@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
junk@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 05-2002