[isapros] Re: Fw: Re: Web Filter with HTTPS

OK, that's a good question. What do I mean by still working?
 
Well, I unbind the Web Proxy Filter from the HTTP protocol so that I can
get Direct Access control for SNAT and Firewall clients for problematic
sites.
 
However, I still want my Web Proxy clients to get the benefits of
caching and HTTP content inspection for all those other sites that
aren't a problem.
 
So, before I unbind the Web Proxy filter from the HTTP protocol, I right
click on my rule so that I can access the HTTP Security Filter
configuration interface. After I make the changes to the filter
settings, I save the settings. After the changes are saved, I unbind the
Web Proxy filter from the HTTP protocol and save that. Now the
configuration interface for the HTTP security filter is gone.
 
However, the settings I made in the filter are still in effect for:
 
* Web Proxy clients
* All Web Publishing Rules -- because the Web listener is always using
the Web Proxy filter
 
Make sense?
 
Tom
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- Microsoft Firewalls (ISA)

 


________________________________

        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)
        Sent: Wednesday, June 20, 2007 7:52 PM
        To: isapros@xxxxxxxxxxxxx
        Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
        
        
        Right- so to Jim with his "can2, can2, can2" i have to say, "ni"
         
        Can't config HTTP on the rule if HTTP or HTTPS (respectively) is
not bound to "Web Filter."  My machine is not bursted in that regard.
         
        Now, when you say "Still working" what does that mean?  HTTP
Filter configurations are rule-based.  Are you saying if I un-bind Web
Filter from HTTP and HTTPS on a fresh install, and then create a pub
rule, that some "general, default" HTTP filter config is still applied
to Web Pub rules?
         
        t

                ----- Original Message ----- 
                From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>  
                To: isapros@xxxxxxxxxxxxx 
                Sent: Wednesday, June 20, 2007 5:44 PM
                Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS

                When you unbind the Web Proxy filter from the HTTP
protocol your HTTP Security Filter configuration options go away, but
they're still working.
                 
                 
                 
                Thomas W Shinder, M.D.
                Site: www.isaserver.org
                Blog: http://blogs.isaserver.org/shinder/
                Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7> 
                MVP -- Microsoft Firewalls (ISA)

                 


________________________________

                        From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
                        Sent: Wednesday, June 20, 2007 7:37 PM
                        To: isapros@xxxxxxxxxxxxx
                        Subject: [isapros] Re: Fw: Re: Web Filter with
HTTPS
                        
                        
                        No, you need to configure the HTTP Security
Filter, and in order to configured the HTTP Security Filter, the Web
Proxy Filter must be enabled.
                         
                        Its always enabled for Web listeners
                         
                        It can unbound from the HTTP protocol, in which
case the configuration interface for the HTTP Security Filter
disappears, but you configuration changes remain intact.
                         
                        When you unbind the Web proxy filter from the
HTTPS protocol, no Web caching or filtering is done for Firewall clients
or SecureNAT clients.
                         
                        Web proxy clients are always exposed to the Web
proxy filter, even if you unbind it from the HTTP protocol.
                         
                        How's that?
                         
                        Thomas W Shinder, M.D.
                        Site: www.isaserver.org
<http://www.isaserver.org/> 
                        Blog: http://blogs.isaserver.org/shinder/
                        Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7> 
                        MVP -- Microsoft Firewalls (ISA)

                         


________________________________

                                From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
                                Sent: Wednesday, June 20, 2007 5:06 PM
                                To: isapros@xxxxxxxxxxxxx
                                Subject: [isapros] Re: Fw: Re: Web
Filter with HTTPS
                                
                                

                                If you're just publishing OWA and an RPC
proxy over HTTPS, isn't any filter configuration automatically handled
by ISA when running the Publish Mail Server wizard?  As I understood it,
ISA knows that stuff inherently; no configuration necessary.
                                
                                Cordially yours,
                                Jerry G. Young II  ++ Sent from
BlackBerry ++
                                Application Engineer
                                Platform Engineering and Architecture
                                NTT America, an NTT Communications
Company
                                
                                22451 Shaw Rd.
                                Sterling, VA 20166
                                
                                Office: 571-434-1319
                                Fax: 703-333-6749
                                Email: g.young@xxxxxxxx
                                
                                
                                -----Original Message-----
                                From: isapros-bounce@xxxxxxxxxxxxx
<isapros-bounce@xxxxxxxxxxxxx>
                                To: isapros@xxxxxxxxxxxxx
<isapros@xxxxxxxxxxxxx>
                                Sent: Wed Jun 20 17:52:18 2007
                                Subject: [isapros] Re: Fw: Re: Web
Filter with HTTPS
                                
                                We're all pendants here ;)
                                
                                Here is my specific question then:
                                
                                I want to publish HTTPS ie OWA for RPC
and HTTPS.  I obviously need to
                                configure the HTTP Filter properties.
If I have the Web Filter bound to
                                HTTPS (iow, selected in the available
filters under the protocl config) then
                                ALL outbound HTTPS traffic breaks.
Therefore, one has to un-bind the Web
                                Filter from HTTPS for outbound to work
(on this install).
                                
                                Ergo, since the Web Filter is not bound
to the HTTPS protocol (in order for
                                outbound to work), there is no way to
select "Configure HTTP" from the
                                properties of the web publishing rule.
                                
                                FromwhenthouNowThinketh, WTF is the deal
on what properties of the filter
                                are applied?  See what I mean??
                                
                                t
                                
                                ----- Original Message -----
                                From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
                                To: <isapros@xxxxxxxxxxxxx>
                                Sent: Wednesday, June 20, 2007 2:31 PM
                                Subject: [isapros] Re: Fw: Re: Web
Filter with HTTPS
                                
                                
                                > Not to be pedantic, but the published
traffic being handled by the web
                                > proxy isn't "HTTPS", it's "HTTP inside
SSL" and ISA handles each layer
                                > separately.  By the time the web proxy
is evaluating the HTTP traffic,
                                > SSL is no longer a factor and it gets
treated just like "plain old" HTTP
                                > traffic.
                                >
                                > -----Original Message-----
                                > From: isapros-bounce@xxxxxxxxxxxxx [
mailto:isapros-bounce@xxxxxxxxxxxxx]
                                > On Behalf Of Thor (Hammer of God)
                                > Sent: Wednesday, June 20, 2007 2:26 PM
                                > To: isapros@xxxxxxxxxxxxx
                                > Subject: [isapros] Re: Fw: Re: Web
Filter with HTTPS
                                >
                                > Then how do you configure the HTTP
filtering on web pub rules if the Web
                                >
                                > Filter is not bound to HTTPS?
                                >
                                > t
                                > ----- Original Message -----
                                > From: "Jim Harrison"
<Jim@xxxxxxxxxxxx>
                                > To: <isapros@xxxxxxxxxxxxx>
                                > Sent: Wednesday, June 20, 2007 2:24 PM
                                > Subject: [isapros] Re: Fw: Re: Web
Filter with HTTPS
                                >
                                >
                                >> Sorta..
                                >> if it's a web pub rule, then the web
proxy is already involved and no
                                >> "protocol binding" is required.
                                >> If it's a server pub rule, then ISA
is effectively blind to the
                                > traffic
                                >> anyway.
                                >>
                                >> -----Original Message-----
                                >> From: isapros-bounce@xxxxxxxxxxxxx
                                > [mailto:isapros-bounce@xxxxxxxxxxxxx]
                                >> On Behalf Of Thor (Hammer of God)
                                >> Sent: Wednesday, June 20, 2007 2:05
PM
                                >> To: isapros@xxxxxxxxxxxxx
                                >> Subject: [isapros] Fw: Re: Web Filter
with HTTPS
                                >>
                                >> OK, so you are saying that if I
unbind the Web Filter from HTTPS, and
                                >> create
                                >> a pub rule for HTTPS, then the filter
will still be used for the Pub
                                >> rule?
                                >>
                                >> t
                                >>
                                >>
                                >> -----Original Message-----
                                >> From: isapros-bounce@xxxxxxxxxxxxx
                                > [mailto:isapros-bounce@xxxxxxxxxxxxx]
                                >> On Behalf Of Jim Harrison
                                >> Sent: Wednesday, June 20, 2007 5:43
PM
                                >> To: isapros@xxxxxxxxxxxxx
                                >> Subject: [isapros] Re: Web Filter
with HTTPS
                                >>
                                >> The web filter is the part that
expects to watch the HTTP traffic as
                                > it
                                >> flows through ISA.
                                >> With the exception of web publishing,
HTTPS traffic is effectively
                                >> invisible to ISA and therefore any
policies enacted via the web filter
                                >> (think HTTP Filter, too) cannot be
applied and ISA will default to
                                > "when
                                >> in doubt, trash it" mode.
                                >>
                                >> -----Original Message-----
                                >> From: isapros-bounce@xxxxxxxxxxxxx
                                > [mailto:isapros-bounce@xxxxxxxxxxxxx]
                                >> On Behalf Of Thor (Hammer of God)
                                >> Sent: Wednesday, June 20, 2007 1:15
PM
                                >> To: isapros@xxxxxxxxxxxxx
                                >> Subject: [isapros] Web Filter with
HTTPS
                                >>
                                >> Just a sanity check here... why would
all HTTPS traffic fail if the
                                > Web
                                >> Filter was bound to the HTTPS
protocol?
                                >>
                                >> t
                                >>
                                >> All mail to and from this domain is
GFI-scanned.
                                >>
                                >>
                                >>
                                >>
                                >> All mail to and from this domain is
GFI-scanned.
                                >>
                                >>
                                >
                                >
                                >
                                > All mail to and from this domain is
GFI-scanned.
                                >
                                >
                                
                                
                                

JPEG image

Other related posts: