[isapros] Re: Fw: Re: Web Filter with HTTPS

From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Date: Thu, 21 Jun 2007 08:26:02 -0700

I just had to kick the perms!

t

----- Original Message -----From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>

To: <isapros@xxxxxxxxxxxxx>
Sent: Thursday, June 21, 2007 7:47 AM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


Nope, no kicks. You asked a good question, followed up on answers, and
came to a conclusion by asking follow up questions that helped hone down

to the problem.

Now, if you had said "ISA broke my Internet" that would be another
matter ;)

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

-----Original Message-----

From: isapros-bounce@xxxxxxxxxxxxx[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor(Hammer of God)

Sent: Thursday, June 21, 2007 9:25 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS

What, no kicks in the groin? I was sure that I'd at leasttake one in thelads from Stevo.... ;)

----- Original Message -----From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>

To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 7:15 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


>I was totally wrong about the entire thing...
>

> In the config I was working on, HTTP was un-bound from theWeb Filter. I> apparently got crossed up in my testing with it being on oroff, and I> screwed myself.

> Binding of the Web Filter to HTTPS has no affect on the ability to> "Configure HTTP." Only binding of the Web Filter to HTTP does.

> I very much appreciate everyone's patience in working through this,> otherwise I would have just assumed there was some Voodoogoing on and> blame everyone by myself.

> All that being said, you shouldn't be able to bind the WebFilter to> HTTPS, or if you do, it shouldn't break things knowing whatwe know ;)

>
> Thanks guys.
> t
>
>

> ----- Original Message -----> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>

> To: <isapros@xxxxxxxxxxxxx>
> Sent: Wednesday, June 20, 2007 6:07 PM
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
>
> Remember that the *type* of rule is important.
>
> Access Rules -- Web Proxy filter unbound from HTTP, then no HTTP
> Security Filter configuration
>

> Web Publishing Rules -- Web Proxy filter unbound from HTTP,then no HTTP

> Security Filter configuration
>
> Web Publishing Rules apply the settings in the HTTP Security Filter

> because ISA has access to the unencrypted HTTP since theSSL connection

> terminates at the ISA firewall
>
> Access Rules does not use the Web Proxy filter or the HTTP Security

> Filter, since the SSL connection doesn't terminate at theISA Firewall

> for outbound connections.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>> (Hammer of God)
>> Sent: Wednesday, June 20, 2007 8:03 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>>
>> That's what I was on about...
>>
>> However, things have changed now.  I can indeed configure
>> HTTP on a HTTPS
>> rule even though HTTPS had "Web Filter" disabled.  However, I
>> can't if HTTP
>> has "Web Filter" unbound.  Both Steve and I saw this, but I'm
>> not going to
>> blame ISA voodoo for that:  I guess we still had HTTP
>> unbound- but I would
>> swear we didn't.  I'll take one for the home team on that one.
>>
>> I'm going to have to write up a check-list and go through
>> again before I
>> continue on here.
>>
>> t
>>
>>

>> ----- Original Message ----->> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>

>> To: <isapros@xxxxxxxxxxxxx>
>> Sent: Wednesday, June 20, 2007 5:55 PM
>> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>>
>>
>> Hey Jim,
>>
>> Actually, if you unbind the Web Proxy Filter from the HTTP
>> protocol, the
>> HTTP Security Filter configuration option goes away. I
>> reported this bug
>> when ISA 2004 was in early beta. Never got fixed.
>>
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org
>> Blog: http://blogs.isaserver.org/shinder/
>> Book: http://tinyurl.com/3xqb7
>> MVP -- Microsoft Firewalls (ISA)
>>
>>
>>
>> > -----Original Message-----
>> > From: isapros-bounce@xxxxxxxxxxxxx
>> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>> > Sent: Wednesday, June 20, 2007 7:52 PM
>> > To: isapros@xxxxxxxxxxxxx
>> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>> >
>> > No.
>> > Yes.
>> > Maybe.
>> >
>> > The HTTPS protocol handles traffic destined for "port 443".  This

>> > protocol definition is applied to SecureNET and FWCtraffic *only*.

>> > CERN proxy client requests are handled by the Web Proxy
>> Filter, which
>> > natively understands HTTP and FTP as well as how to handle
>> SSL tunnels
>> > for HTTP.  It *does not* use the protocol HTTP/HTTPS definitions.
>> > If you bind the Web Proxy Filter to a non-cleartext HTTP
>> > protocol or any
>> > non-HTTP protocol, the Web Proxy filter will poop loudly in your
>> > Cheerios.
>> >

>> > As far as your inability to "configure HTTP" in your webpublisihing>> > rules, I'd still like a TS to your machine. - somethingis very much

>> > amiss.
>> >
>> > -----Original Message-----
>> > From: isapros-bounce@xxxxxxxxxxxxx
>> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> > On Behalf Of Thor (Hammer of God)
>> > Sent: Wednesday, June 20, 2007 5:46 PM
>> > To: isapros@xxxxxxxxxxxxx
>> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>> >
>> > Bottom line on this - tell me:
>> >

>> > If you have "Web Filter" bound to HTTPS, can you makeoutbound HTTPS

>> > connections?
>> >
>> > That's really the whole question.  On the network we're
>> > seeing this on,
>> > you cannot make outbound HTTPS connections if "Web Filter"
>> is bound to

>> > HTTPS. Let's start off in a simple manner, and see ifthat point is

>> > true or not in your config please...
>> >
>> > t
>> >

>> > ----- Original Message ----->> > From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>

>> > To: isapros@xxxxxxxxxxxxx
>> > Sent: Wednesday, June 20, 2007 5:41 PM
>> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>> >
>> > That should say:
>> >
>> > "When you unbind the Web Proxy Filter from the HTTP
>> > protocol......."
>> >
>> > whopps.
>> >
>> > Thomas W Shinder, M.D.
>> > Site: www.isaserver.org
>> > Blog: http://blogs.isaserver.org/shinder/
>> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>> > MVP -- Microsoft Firewalls (ISA)
>> >
>> >
>> >
>> >
>> > ________________________________
>> >
>> > From: isapros-bounce@xxxxxxxxxxxxx

>> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf OfThomas W Shinder

>> > Sent: Wednesday, June 20, 2007 7:37 PM
>> > To: isapros@xxxxxxxxxxxxx
>> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>> >
>> >
>> > No, you need to configure the HTTP Security Filter, and
>> > in order to configured the HTTP Security Filter, the Web
>> Proxy Filter
>> > must be enabled.
>> >
>> > Its always enabled for Web listeners
>> >
>> > It can unbound from the HTTP protocol, in which case the
>> > configuration interface for the HTTP Security Filter
>> > disappears, but you
>> > configuration changes remain intact.
>> >
>> > When you unbind the Web proxy filter from the HTTPS
>> > protocol, no Web caching or filtering is done for Firewall
>> clients or
>> > SecureNAT clients.
>> >
>> > Web proxy clients are always exposed to the Web proxy
>> > filter, even if you unbind it from the HTTP protocol.
>> >
>> > How's that?
>> >
>> > Thomas W Shinder, M.D.
>> > Site: www.isaserver.org <http://www.isaserver.org/>
>> > Blog: http://blogs.isaserver.org/shinder/
>> > Book: http://tinyurl.com/3xqb7
>> > <http://tinyurl.com/3xqb7>
>> > MVP -- Microsoft Firewalls (ISA)
>> >
>> >
>> >
>> >
>> > ________________________________
>> >
>> > From: isapros-bounce@xxxxxxxxxxxxx

>> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf OfGerald G. Young

>> > Sent: Wednesday, June 20, 2007 5:06 PM
>> > To: isapros@xxxxxxxxxxxxx
>> > Subject: [isapros] Re: Fw: Re: Web Filter with
>> > HTTPS
>> >
>> >
>> >
>> > If you're just publishing OWA and an RPC proxy
>> > over HTTPS, isn't any filter configuration automatically
>> > handled by ISA
>> > when running the Publish Mail Server wizard?  As I
>> understood it, ISA
>> > knows that stuff inherently; no configuration necessary.
>> >
>> > Cordially yours,
>> > Jerry G. Young II  ++ Sent from BlackBerry ++
>> > Application Engineer
>> > Platform Engineering and Architecture
>> > NTT America, an NTT Communications Company
>> >
>> > 22451 Shaw Rd.
>> > Sterling, VA 20166
>> >
>> > Office: 571-434-1319
>> > Fax: 703-333-6749
>> > Email: g.young@xxxxxxxx
>> >
>> >
>> > -----Original Message-----
>> > From: isapros-bounce@xxxxxxxxxxxxx
>> > <isapros-bounce@xxxxxxxxxxxxx>
>> > To: isapros@xxxxxxxxxxxxx
>> > <isapros@xxxxxxxxxxxxx>
>> > Sent: Wed Jun 20 17:52:18 2007
>> > Subject: [isapros] Re: Fw: Re: Web Filter with
>> > HTTPS
>> >
>> > We're all pendants here ;)
>> >
>> > Here is my specific question then:
>> >
>> > I want to publish HTTPS ie OWA for RPC and
>> > HTTPS.  I obviously need to
>> > configure the HTTP Filter properties.  If I have
>> > the Web Filter bound to
>> > HTTPS (iow, selected in the available filters
>> > under the protocl config) then
>> > ALL outbound HTTPS traffic breaks.  Therefore,
>> > one has to un-bind the Web
>> > Filter from HTTPS for outbound to work (on this
>> > install).
>> >
>> > Ergo, since the Web Filter is not bound to the
>> > HTTPS protocol (in order for
>> > outbound to work), there is no way to select
>> > "Configure HTTP" from the
>> > properties of the web publishing rule.
>> >
>> > FromwhenthouNowThinketh, WTF is the deal on what
>> > properties of the filter
>> > are applied?  See what I mean??
>> >
>> > t
>> >
>> > ----- Original Message -----
>> > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
>> > To: <isapros@xxxxxxxxxxxxx>
>> > Sent: Wednesday, June 20, 2007 2:31 PM
>> > Subject: [isapros] Re: Fw: Re: Web Filter with
>> > HTTPS
>> >
>> >
>> > > Not to be pedantic, but the published traffic
>> > being handled by the web
>> > > proxy isn't "HTTPS", it's "HTTP inside SSL"
>> > and ISA handles each layer
>> > > separately.  By the time the web proxy is
>> > evaluating the HTTP traffic,
>> > > SSL is no longer a factor and it gets treated
>> > just like "plain old" HTTP
>> > > traffic.
>> > >
>> > > -----Original Message-----
>> > > From: isapros-bounce@xxxxxxxxxxxxx
>> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> > > On Behalf Of Thor (Hammer of God)
>> > > Sent: Wednesday, June 20, 2007 2:26 PM
>> > > To: isapros@xxxxxxxxxxxxx
>> > > Subject: [isapros] Re: Fw: Re: Web Filter with
>> > HTTPS
>> > >
>> > > Then how do you configure the HTTP filtering
>> > on web pub rules if the Web
>> > >
>> > > Filter is not bound to HTTPS?
>> > >
>> > > t
>> > > ----- Original Message -----
>> > > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
>> > > To: <isapros@xxxxxxxxxxxxx>
>> > > Sent: Wednesday, June 20, 2007 2:24 PM
>> > > Subject: [isapros] Re: Fw: Re: Web Filter with
>> > HTTPS
>> > >
>> > >
>> > >> Sorta..
>> > >> if it's a web pub rule, then the web proxy is
>> > already involved and no
>> > >> "protocol binding" is required.
>> > >> If it's a server pub rule, then ISA is
>> > effectively blind to the
>> > > traffic
>> > >> anyway.
>> > >>
>> > >> -----Original Message-----
>> > >> From: isapros-bounce@xxxxxxxxxxxxx
>> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> > >> On Behalf Of Thor (Hammer of God)
>> > >> Sent: Wednesday, June 20, 2007 2:05 PM
>> > >> To: isapros@xxxxxxxxxxxxx
>> > >> Subject: [isapros] Fw: Re: Web Filter with
>> > HTTPS
>> > >>
>> > >> OK, so you are saying that if I unbind the
>> > Web Filter from HTTPS, and
>> > >> create
>> > >> a pub rule for HTTPS, then the filter will
>> > still be used for the Pub
>> > >> rule?
>> > >>
>> > >> t
>> > >>
>> > >>
>> > >> -----Original Message-----
>> > >> From: isapros-bounce@xxxxxxxxxxxxx
>> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> > >> On Behalf Of Jim Harrison
>> > >> Sent: Wednesday, June 20, 2007 5:43 PM
>> > >> To: isapros@xxxxxxxxxxxxx
>> > >> Subject: [isapros] Re: Web Filter with HTTPS
>> > >>
>> > >> The web filter is the part that expects to
>> > watch the HTTP traffic as
>> > > it
>> > >> flows through ISA.
>> > >> With the exception of web publishing, HTTPS
>> > traffic is effectively
>> > >> invisible to ISA and therefore any policies
>> > enacted via the web filter
>> > >> (think HTTP Filter, too) cannot be applied
>> > and ISA will default to
>> > > "when
>> > >> in doubt, trash it" mode.
>> > >>
>> > >> -----Original Message-----
>> > >> From: isapros-bounce@xxxxxxxxxxxxx
>> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> > >> On Behalf Of Thor (Hammer of God)
>> > >> Sent: Wednesday, June 20, 2007 1:15 PM
>> > >> To: isapros@xxxxxxxxxxxxx
>> > >> Subject: [isapros] Web Filter with HTTPS
>> > >>
>> > >> Just a sanity check here... why would all
>> > HTTPS traffic fail if the
>> > > Web
>> > >> Filter was bound to the HTTPS protocol?
>> > >>
>> > >> t
>> > >>
>> > >> All mail to and from this domain is
>> > GFI-scanned.
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> All mail to and from this domain is
>> > GFI-scanned.
>> > >>
>> > >>
>> > >
>> > >
>> > >
>> > > All mail to and from this domain is
>> > GFI-scanned.
>> > >
>> > >
>> >
>> >
>> >
>> >
>> >
>> > All mail to and from this domain is GFI-scanned.
>> >
>> >
>> >
>> >
>>
>>
>>
>>
>

>

Follow-Ups:

[isapros] Re: Fw: Re: Web Filter with HTTPS
From: Steve Moffat

References:
- [isapros] Re: Fw: Re: Web Filter with HTTPS
  - From: Thomas W Shinder

[isapros] Re: Fw: Re: Web Filter with HTTPS

Other related posts: