[isapros] Re: Fw: Re: Web Filter with HTTPS

I was totally wrong about the entire thing...

In the config I was working on, HTTP was un-bound from the Web Filter. I apparently got crossed up in my testing with it being on or off, and I screwed myself.

Binding of the Web Filter to HTTPS has no affect on the ability to "Configure HTTP." Only binding of the Web Filter to HTTP does.

I very much appreciate everyone's patience in working through this, otherwise I would have just assumed there was some Voodoo going on and blame everyone by myself.

All that being said, you shouldn't be able to bind the Web Filter to HTTPS, or if you do, it shouldn't break things knowing what we know ;)

Thanks guys.
t


----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 6:07 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


Remember that the *type* of rule is important.

Access Rules -- Web Proxy filter unbound from HTTP, then no HTTP
Security Filter configuration

Web Publishing Rules -- Web Proxy filter unbound from HTTP, then no HTTP
Security Filter configuration

Web Publishing Rules apply the settings in the HTTP Security Filter
because ISA has access to the unencrypted HTTP since the SSL connection
terminates at the ISA firewall

Access Rules does not use the Web Proxy filter or the HTTP Security
Filter, since the SSL connection doesn't terminate at the ISA Firewall
for outbound connections.

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)



-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
(Hammer of God)
Sent: Wednesday, June 20, 2007 8:03 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS

That's what I was on about...

However, things have changed now.  I can indeed configure
HTTP on a HTTPS
rule even though HTTPS had "Web Filter" disabled.  However, I
can't if HTTP
has "Web Filter" unbound.  Both Steve and I saw this, but I'm
not going to
blame ISA voodoo for that:  I guess we still had HTTP
unbound- but I would
swear we didn't.  I'll take one for the home team on that one.

I'm going to have to write up a check-list and go through
again before I
continue on here.

t


----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 5:55 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


Hey Jim,

Actually, if you unbind the Web Proxy Filter from the HTTP
protocol, the
HTTP Security Filter configuration option goes away. I
reported this bug
when ISA 2004 was in early beta. Never got fixed.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)



> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Wednesday, June 20, 2007 7:52 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
> No.
> Yes.
> Maybe.
>
> The HTTPS protocol handles traffic destined for "port 443".  This
> protocol definition is applied to SecureNET and FWC traffic *only*.
> CERN proxy client requests are handled by the Web Proxy
Filter, which
> natively understands HTTP and FTP as well as how to handle
SSL tunnels
> for HTTP.  It *does not* use the protocol HTTP/HTTPS definitions.
> If you bind the Web Proxy Filter to a non-cleartext HTTP
> protocol or any
> non-HTTP protocol, the Web Proxy filter will poop loudly in your
> Cheerios.
>
> As far as your inability to "configure HTTP" in your web publisihing
> rules, I'd still like a TS to your machine. - something is very much
> amiss.
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, June 20, 2007 5:46 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
> Bottom line on this - tell me:
>
> If you have "Web Filter" bound to HTTPS, can you make outbound HTTPS
> connections?
>
> That's really the whole question.  On the network we're
> seeing this on,
> you cannot make outbound HTTPS connections if "Web Filter"
is bound to
> HTTPS.  Let's start off in a simple manner, and see if that point is
> true or not in your config please...
>
> t
>
> ----- Original Message ----- > From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>
> To: isapros@xxxxxxxxxxxxx
> Sent: Wednesday, June 20, 2007 5:41 PM
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
> That should say:
>
> "When you unbind the Web Proxy Filter from the HTTP
> protocol......."
>
> whopps.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- Microsoft Firewalls (ISA)
>
>
>
>
> ________________________________
>
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Wednesday, June 20, 2007 7:37 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
>
> No, you need to configure the HTTP Security Filter, and
> in order to configured the HTTP Security Filter, the Web
Proxy Filter
> must be enabled.
>
> Its always enabled for Web listeners
>
> It can unbound from the HTTP protocol, in which case the
> configuration interface for the HTTP Security Filter
> disappears, but you
> configuration changes remain intact.
>
> When you unbind the Web proxy filter from the HTTPS
> protocol, no Web caching or filtering is done for Firewall
clients or
> SecureNAT clients.
>
> Web proxy clients are always exposed to the Web proxy
> filter, even if you unbind it from the HTTP protocol.
>
> How's that?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> <http://tinyurl.com/3xqb7>
> MVP -- Microsoft Firewalls (ISA)
>
>
>
>
> ________________________________
>
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
> Sent: Wednesday, June 20, 2007 5:06 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with
> HTTPS
>
>
>
> If you're just publishing OWA and an RPC proxy
> over HTTPS, isn't any filter configuration automatically
> handled by ISA
> when running the Publish Mail Server wizard?  As I
understood it, ISA
> knows that stuff inherently; no configuration necessary.
>
> Cordially yours,
> Jerry G. Young II  ++ Sent from BlackBerry ++
> Application Engineer
> Platform Engineering and Architecture
> NTT America, an NTT Communications Company
>
> 22451 Shaw Rd.
> Sterling, VA 20166
>
> Office: 571-434-1319
> Fax: 703-333-6749
> Email: g.young@xxxxxxxx
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> <isapros-bounce@xxxxxxxxxxxxx>
> To: isapros@xxxxxxxxxxxxx
> <isapros@xxxxxxxxxxxxx>
> Sent: Wed Jun 20 17:52:18 2007
> Subject: [isapros] Re: Fw: Re: Web Filter with
> HTTPS
>
> We're all pendants here ;)
>
> Here is my specific question then:
>
> I want to publish HTTPS ie OWA for RPC and
> HTTPS.  I obviously need to
> configure the HTTP Filter properties.  If I have
> the Web Filter bound to
> HTTPS (iow, selected in the available filters
> under the protocl config) then
> ALL outbound HTTPS traffic breaks.  Therefore,
> one has to un-bind the Web
> Filter from HTTPS for outbound to work (on this
> install).
>
> Ergo, since the Web Filter is not bound to the
> HTTPS protocol (in order for
> outbound to work), there is no way to select
> "Configure HTTP" from the
> properties of the web publishing rule.
>
> FromwhenthouNowThinketh, WTF is the deal on what
> properties of the filter
> are applied?  See what I mean??
>
> t
>
> ----- Original Message -----
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: <isapros@xxxxxxxxxxxxx>
> Sent: Wednesday, June 20, 2007 2:31 PM
> Subject: [isapros] Re: Fw: Re: Web Filter with
> HTTPS
>
>
> > Not to be pedantic, but the published traffic
> being handled by the web
> > proxy isn't "HTTPS", it's "HTTP inside SSL"
> and ISA handles each layer
> > separately.  By the time the web proxy is
> evaluating the HTTP traffic,
> > SSL is no longer a factor and it gets treated
> just like "plain old" HTTP
> > traffic.
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thor (Hammer of God)
> > Sent: Wednesday, June 20, 2007 2:26 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Fw: Re: Web Filter with
> HTTPS
> >
> > Then how do you configure the HTTP filtering
> on web pub rules if the Web
> >
> > Filter is not bound to HTTPS?
> >
> > t
> > ----- Original Message -----
> > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> > To: <isapros@xxxxxxxxxxxxx>
> > Sent: Wednesday, June 20, 2007 2:24 PM
> > Subject: [isapros] Re: Fw: Re: Web Filter with
> HTTPS
> >
> >
> >> Sorta..
> >> if it's a web pub rule, then the web proxy is
> already involved and no
> >> "protocol binding" is required.
> >> If it's a server pub rule, then ISA is
> effectively blind to the
> > traffic
> >> anyway.
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Thor (Hammer of God)
> >> Sent: Wednesday, June 20, 2007 2:05 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Fw: Re: Web Filter with
> HTTPS
> >>
> >> OK, so you are saying that if I unbind the
> Web Filter from HTTPS, and
> >> create
> >> a pub rule for HTTPS, then the filter will
> still be used for the Pub
> >> rule?
> >>
> >> t
> >>
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Jim Harrison
> >> Sent: Wednesday, June 20, 2007 5:43 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Web Filter with HTTPS
> >>
> >> The web filter is the part that expects to
> watch the HTTP traffic as
> > it
> >> flows through ISA.
> >> With the exception of web publishing, HTTPS
> traffic is effectively
> >> invisible to ISA and therefore any policies
> enacted via the web filter
> >> (think HTTP Filter, too) cannot be applied
> and ISA will default to
> > "when
> >> in doubt, trash it" mode.
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Thor (Hammer of God)
> >> Sent: Wednesday, June 20, 2007 1:15 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Web Filter with HTTPS
> >>
> >> Just a sanity check here... why would all
> HTTPS traffic fail if the
> > Web
> >> Filter was bound to the HTTPS protocol?
> >>
> >> t
> >>
> >> All mail to and from this domain is
> GFI-scanned.
> >>
> >>
> >>
> >>
> >> All mail to and from this domain is
> GFI-scanned.
> >>
> >>
> >
> >
> >
> > All mail to and from this domain is
> GFI-scanned.
> >
> >
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
>






Other related posts: