Tom, How does applying SSL (assuming that the RULE specifies ssl) prior to requesting authentication in any way effect the policy granularity? I think ISA2004 is great, however that doesn't mean its perfect there is always room for improvement in any product. You can hardly argue that applying ssl to the connection (again at the rule level) prior to requesting authentication (also requested at the rule level) "dulls the instrument" or reduces granularity or for that matter flexibility in any way. However I think its quite obvious that passing credentials in the clear when there is an alternative available is not even close to best practices. Bill -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Tuesday, December 21, 2004 4:46 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Auto Switching to SSL connection http://www.ISAserver.org Hi Jim, Precisely. Its that policy granularity that I very much appreciate with the new ISA firewall. I'd much rather have the sharp scalpel than the pointed stick :-) Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Monday, December 20, 2004 8:21 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Auto Switching to SSL connection http://www.ISAserver.org The point is, ISA will authenticate first if authentication is required. This is the way the ISA team chose to create this logic. I'll stipulate that it isn't "ideal", but neither is wasting time arguing about it here. If you want your ISA to redirect, then you have to have an anonymous HTTP-based rule to do so. This is what the ISA core team refers to as "policy granularity". The idea here is that you can have a single rule doing a VERY specific job. ..of course, you can also have a single rule allowing everything in sight, too. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx] Sent: Monday, December 20, 2004 5:37 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Auto Switching to SSL connection http://www.ISAserver.org Jim, I am in no way suggesting that ISA is IIS. What I am saying is that prior to any passing of any authentication information the channel between client and server should be secured if a secure channel is an option. Every other instance of http and for that matter IMAP, SMTP, and POP (all of the major protocols that have ssl variants) operate in this way. ISA on the other hand chooses in the case of the web listener to authenticate first and secure the channel second. The point is that if I specify Nofity http users to use https instead under the traffic tab of web publishing rule: The first check that should be performed by the rule is has the user specified a secure channel. If not then an error should be raised. If the rule also requires authentication then that aspect of the rule should be performed second. In any context I never said that ISA was a webserver or vise versa. What I did say is that allowing a user to authenticate over an insecure channel when a secure channel is available is terriable idea. An idea that I can't see the justification for. Bill -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Monday, December 20, 2004 2:32 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Auto Switching to SSL connection http://www.ISAserver.org The first concept we need to clarify is this: IIS isn't ISA and vice versa. In the context of this discussion, ISA is a web proxy. In no context is it ever a web server. Likewise, I wouldn't try to use IIS as a web proxy; witness the train wreck that was Proxy 1 and 2. Take a deeper read in the ISA docs; the design and functionality will become a bit clearer (I hope). ISA always covers the authentication question FIRST. ..and if you use the resource I linked you to, you can have the redirect you want. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! -----Original Message----- From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx] Sent: Monday, December 20, 2004 10:34 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Auto Switching to SSL connection