[isapros] Re: Fw: Re: Web Filter with HTTPS

From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Date: Wed, 20 Jun 2007 17:46:29 -0700
Re: [isapros] Re: Fw: Re: Web Filter with HTTPSBottom line on this - tell me:

If you have "Web Filter" bound to HTTPS, can you make outbound HTTPS 
connections?

That's really the whole question.  On the network we're seeing this on, you 
cannot make outbound HTTPS connections if "Web Filter" is bound to HTTPS.  
Let's start off in a simple manner, and see if that point is true or not in 
your config please...

t
  ----- Original Message ----- 
  From: Thomas W Shinder 
  To: isapros@xxxxxxxxxxxxx 
  Sent: Wednesday, June 20, 2007 5:41 PM
  Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


  That should say:

  "When you unbind the Web Proxy Filter from the HTTP protocol......."

  whopps.

  Thomas W Shinder, M.D.
  Site: www.isaserver.org
  Blog: http://blogs.isaserver.org/shinder/
  Book: http://tinyurl.com/3xqb7
  MVP -- Microsoft Firewalls (ISA)





----------------------------------------------------------------------------
    From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thomas W Shinder
    Sent: Wednesday, June 20, 2007 7:37 PM
    To: isapros@xxxxxxxxxxxxx
    Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


    No, you need to configure the HTTP Security Filter, and in order to 
configured the HTTP Security Filter, the Web Proxy Filter must be enabled.

    Its always enabled for Web listeners

    It can unbound from the HTTP protocol, in which case the configuration 
interface for the HTTP Security Filter disappears, but you configuration 
changes remain intact.

    When you unbind the Web proxy filter from the HTTPS protocol, no Web 
caching or filtering is done for Firewall clients or SecureNAT clients.

    Web proxy clients are always exposed to the Web proxy filter, even if you 
unbind it from the HTTP protocol.

    How's that?

    Thomas W Shinder, M.D.
    Site: www.isaserver.org
    Blog: http://blogs.isaserver.org/shinder/
    Book: http://tinyurl.com/3xqb7
    MVP -- Microsoft Firewalls (ISA)





--------------------------------------------------------------------------
      From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] 
On Behalf Of Gerald G. Young
      Sent: Wednesday, June 20, 2007 5:06 PM
      To: isapros@xxxxxxxxxxxxx
      Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


      If you're just publishing OWA and an RPC proxy over HTTPS, isn't any 
filter configuration automatically handled by ISA when running the Publish Mail 
Server wizard?  As I understood it, ISA knows that stuff inherently; no 
configuration necessary.

      Cordially yours,
      Jerry G. Young II  ++ Sent from BlackBerry ++
      Application Engineer
      Platform Engineering and Architecture
      NTT America, an NTT Communications Company

      22451 Shaw Rd.
      Sterling, VA 20166

      Office: 571-434-1319
      Fax: 703-333-6749
      Email: g.young@xxxxxxxx


      -----Original Message-----
      From: isapros-bounce@xxxxxxxxxxxxx <isapros-bounce@xxxxxxxxxxxxx>
      To: isapros@xxxxxxxxxxxxx <isapros@xxxxxxxxxxxxx>
      Sent: Wed Jun 20 17:52:18 2007
      Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS

      We're all pendants here ;)

      Here is my specific question then:

      I want to publish HTTPS ie OWA for RPC and HTTPS.  I obviously need to
      configure the HTTP Filter properties.  If I have the Web Filter bound to
      HTTPS (iow, selected in the available filters under the protocl config) 
then
      ALL outbound HTTPS traffic breaks.  Therefore, one has to un-bind the Web
      Filter from HTTPS for outbound to work (on this install).

      Ergo, since the Web Filter is not bound to the HTTPS protocol (in order 
for
      outbound to work), there is no way to select "Configure HTTP" from the
      properties of the web publishing rule.

      FromwhenthouNowThinketh, WTF is the deal on what properties of the filter
      are applied?  See what I mean??

      t

      ----- Original Message -----
      From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
      To: <isapros@xxxxxxxxxxxxx>
      Sent: Wednesday, June 20, 2007 2:31 PM
      Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


      > Not to be pedantic, but the published traffic being handled by the web
      > proxy isn't "HTTPS", it's "HTTP inside SSL" and ISA handles each layer
      > separately.  By the time the web proxy is evaluating the HTTP traffic,
      > SSL is no longer a factor and it gets treated just like "plain old" HTTP
      > traffic.
      >
      > -----Original Message-----
      > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
      > On Behalf Of Thor (Hammer of God)
      > Sent: Wednesday, June 20, 2007 2:26 PM
      > To: isapros@xxxxxxxxxxxxx
      > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
      >
      > Then how do you configure the HTTP filtering on web pub rules if the Web
      >
      > Filter is not bound to HTTPS?
      >
      > t
      > ----- Original Message -----
      > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
      > To: <isapros@xxxxxxxxxxxxx>
      > Sent: Wednesday, June 20, 2007 2:24 PM
      > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
      >
      >
      >> Sorta..
      >> if it's a web pub rule, then the web proxy is already involved and no
      >> "protocol binding" is required.
      >> If it's a server pub rule, then ISA is effectively blind to the
      > traffic
      >> anyway.
      >>
      >> -----Original Message-----
      >> From: isapros-bounce@xxxxxxxxxxxxx
      > [mailto:isapros-bounce@xxxxxxxxxxxxx]
      >> On Behalf Of Thor (Hammer of God)
      >> Sent: Wednesday, June 20, 2007 2:05 PM
      >> To: isapros@xxxxxxxxxxxxx
      >> Subject: [isapros] Fw: Re: Web Filter with HTTPS
      >>
      >> OK, so you are saying that if I unbind the Web Filter from HTTPS, and
      >> create
      >> a pub rule for HTTPS, then the filter will still be used for the Pub
      >> rule?
      >>
      >> t
      >>
      >>
      >> -----Original Message-----
      >> From: isapros-bounce@xxxxxxxxxxxxx
      > [mailto:isapros-bounce@xxxxxxxxxxxxx]
      >> On Behalf Of Jim Harrison
      >> Sent: Wednesday, June 20, 2007 5:43 PM
      >> To: isapros@xxxxxxxxxxxxx
      >> Subject: [isapros] Re: Web Filter with HTTPS
      >>
      >> The web filter is the part that expects to watch the HTTP traffic as
      > it
      >> flows through ISA.
      >> With the exception of web publishing, HTTPS traffic is effectively
      >> invisible to ISA and therefore any policies enacted via the web filter
      >> (think HTTP Filter, too) cannot be applied and ISA will default to
      > "when
      >> in doubt, trash it" mode.
      >>
      >> -----Original Message-----
      >> From: isapros-bounce@xxxxxxxxxxxxx
      > [mailto:isapros-bounce@xxxxxxxxxxxxx]
      >> On Behalf Of Thor (Hammer of God)
      >> Sent: Wednesday, June 20, 2007 1:15 PM
      >> To: isapros@xxxxxxxxxxxxx
      >> Subject: [isapros] Web Filter with HTTPS
      >>
      >> Just a sanity check here... why would all HTTPS traffic fail if the
      > Web
      >> Filter was bound to the HTTPS protocol?
      >>
      >> t
      >>
      >> All mail to and from this domain is GFI-scanned.
      >>
      >>
      >>
      >>
      >> All mail to and from this domain is GFI-scanned.
      >>
      >>
      >
      >
      >
      > All mail to and from this domain is GFI-scanned.
      >
      >
Follow-Ups:

[isapros] Re: Fw: Re: Web Filter with HTTPS
From: Jim Harrison
References:
- [isapros] Re: Fw: Re: Web Filter with HTTPS
  - From: Thomas W Shinder
[isapros] Re: Fw: Re: Web Filter with HTTPS

Other related posts:
