Re: AW: Online Banking Issues
- From: "Jeff Sloan" <jsloan@xxxxxxxxxxxx>
- To: "ISALists" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 26 Jun 2003 09:09:36 -0500
This is what I am suspecting, and I have no problem making a registry = change
for the oddball site, or a config file change if needed for the = same thing,
but for national banking firms, they better get their = 'stuff' strait. They
still say they are working with Microsoft to get it = fixed. I'll let the group
know when they get it fixed, and what they did = if they will tell me.
Jeff Sloan
Network Administrator
Cross Oil Refining & Marketing, Inc.
484 E. 6th St.
Smackover, AR 71762
Phone 870-864-8688
Fax 870-864-8689
Cell 870-866-9941
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, June 26, 2003 9:09 AM
To: Jeff Sloan
Subject: [isalist] Re: AW: Online Banking Issues
http://www.ISAserver.org
Hi Jeff,
The problem is that while the ISA firewall is RFC compliant, you have a lot of
jokers out there who run Web servers that conform to no standard other than "it
seemed like a good idea at the time". The thing about firewalls is that they're
security devices, no convenience devices. There is a direct inverse correlation
between security and accessibility. But Registry and config file changes are
part and parcel of every site I've ever managed over the last ten years!
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Jeff Sloan [mailto:jsloan@xxxxxxxxxxxx]
Sent: Thursday, June 26, 2003 8:50 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: AW: Online Banking Issues
http://www.ISAserver.org
Sorry guys, not the answer.
I have no load balancing, I have only one route to the internet, and that is
through one ISA server ONLY. As for the MTU size, if that were to work, it
would not be a acceptable solution for companies to have to go mess with the
registry to get certain sites to work. Either the sites need to change to work
with default machine settings or ISA needs to provide a fix.
Now that you know I have no load balancing, any other ideas?
I have never made any changes to the ISA server concerning SSL, but other sites
work.
Jeff Sloan
Network Administrator
Cross Oil Refining & Marketing, Inc.
484 E. 6th St.
Smackover, AR 71762
Phone 870-864-8688
Fax 870-864-8689
Cell 870-866-9941
-----Original Message-----
From: Christian.Schramm@xxxxxxxxxxxxxx
[mailto:Christian.Schramm@xxxxxxxxxxxxxx]
Sent: Thursday, June 26, 2003 8:13 AM
To: ISALists
Subject: [isalist] Re: AW: Online Banking Issues
http://www.ISAserver.org
Funny I came to the same solution without reading that article ;-)
Additionaly my proxy configuration script even provides a kind of failover
which is not given by the script from the KB article. The KB article script
delivers ONE proxy. My version provides a LIST of proxies, including all array
members and the backup route causing the browser to try the whole list if one
proxy times out. See the example below:
// Exceptions to deactivate CARP
if (shExpMatch(host, "*.bankingdomain.de")||
shExpMatch(host, "*.bankingdomain.com"))
{
list = "";
for (i = 0; i < cNodes; i++) {
list = list + "PROXY " + Proxies[i].name + "; ";
}
list = list + BackupRoute;
return list;
}
You could also disable CARP for all SSL-Sites which causes less administrative
work and more friendly users ;-)
// Deactivate CARP for all HTTPS sites
if (url.substring(0, 6) == "https:") {
list = "";
for (i = 0; i < cNodes; i++) {
list = list + "PROXY " + Proxies[i].name + "; ";
}
list = list + BackupRoute;
return list;
}
Note that you have to insert above sections inside the FindProxyForURL
function...
Greets,
Christian
> -----Ursprüngliche Nachricht-----
> Von: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Gesendet: Donnerstag, 26. Juni 2003 14:55
> An: [ISAserver.org Discussion List]
> Betreff: [isalist] Re: AW: Online Banking Issues
>
>
> http://www.ISAserver.org
>
>
> That's absolutely correct; CARP screws up those kinds of sites. A
> workaround is documented at:
> http://support.microsoft.com/default.aspx?scid=328428
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
>
>
> http://www.ISAserver.org
>
>
> Hi there,
>
> I had a similar problem. Seems that the banking software does some
> kind of ip addreess verification per session. So if you use CARP for
> Web proxy clients, there can be the case that within one session the
> banking application sees different source ip addresses. To verify
> this, try to set a specific ISA server as the proxy and test it
> again... Remember to close your browser after changing the value from
> "use automatic configuration script" to "use a proxy server"..
>
> Greets
>
> Christian
>
> > -----Ursprüngliche Nachricht-----
> > Von: Jeff Sloan [mailto:jsloan@xxxxxxxxxxxx]
> > Gesendet: Mittwoch, 25. Juni 2003 21:22
> > An: [ISAserver.org Discussion List]
> > Betreff: [isalist] Online Banking Issues
> >
> >
> > http://www.ISAserver.org
> >
> >
> > We have problems with two Online Banking sites, TheOneNet by BankOne
> > and StuckeyNet.
> >
> > TheOneNet started about a month ago and StuckeyNet about two weeks
> > ago.
> >
> > Sometimes we can't log in, other times we can but can only get to
> > one page of data before the browser kinda locks up.
> >
> > One program logs in and opens a second window, but the window is
> > 'clear', it never gets any data on it.
> >
> > The other will get to one page of data, and if you click another
> > link on the page, it 'just sits there and looks at
> you funny'.
> >
> > I have cases open with both banks, and they have duplicated the
> > issue on their ISA servers, but they have not fixed it yet. They say
> > they are working with Microsoft on the issue, but it seems way slow
> > to me.
> >
> > I have tried the firewall client, and it doesn't help.
> > I have made rules to not cache those sites;
> > *.bankone.com
> > *.citonline.com
> > *.theonenet.com
> > But it made no diffrence.
> > Should I include something after those entries to make sure any page
> > on those domains are not cached, or is this another issue?
> >
> > Anybody heard anything simular?
> > I am starting to think that iether the banks are using something on
> > their pages that is not accepted standard, or we are going to see a
> > hotfix for ISA.
> >
> > If anyone can, please help.
> > Thanks,
> > Jeff Sloan
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com No.1
> > Exchange > Server Resource
> > Site: http://www.msexchange.org Windows Security Resource
> > Site: http://www.windowsecurity.com/ Network Security
> > Library: http://www.secinf.net/ Windows 2000/NT Fax
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: christian.schramm@xxxxxxxxxxxxxx To unsubscribe send
> > a blank email to $subst('Email.Unsub')
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com No.1
> Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com No.1
> Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ Network
> Security Library: http://www.secinf.net/ Windows 2000/NT Fax
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: christian.schramm@xxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange
Server Resource Site: http://www.msexchange.org Windows Security Resource Site:
http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jsloan@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jsloan@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
