RE: Auto Switching to SSL connection
- From: "William Holmes" <wtholmes@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 21 Dec 2004 08:35:33 -0500
Tom,
How does applying SSL (assuming that the RULE specifies ssl) prior to
requesting authentication in any way effect the policy granularity? I think
ISA2004 is great, however that doesn't mean its perfect there is always room
for improvement in any product. You can hardly argue that applying ssl to the
connection (again at the rule level) prior to requesting authentication (also
requested at the rule level) "dulls the instrument" or reduces granularity or
for that matter flexibility in any way. However I think its quite obvious
that passing credentials in the clear when there is an alternative available
is not even close to best practices.
Bill
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Tuesday, December 21, 2004 4:46 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Auto Switching to SSL connection
http://www.ISAserver.org
Hi Jim,
Precisely. Its that policy granularity that I very much appreciate with the
new ISA firewall. I'd much rather have the sharp scalpel than the pointed
stick :-)
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, December 20, 2004 8:21 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Auto Switching to SSL connection
http://www.ISAserver.org
The point is, ISA will authenticate first if authentication is required.
This is the way the ISA team chose to create this logic.
I'll stipulate that it isn't "ideal", but neither is wasting time arguing
about it here.
If you want your ISA to redirect, then you have to have an anonymous
HTTP-based rule to do so.
This is what the ISA core team refers to as "policy granularity".
The idea here is that you can have a single rule doing a VERY specific job.
..of course, you can also have a single rule allowing everything in sight,
too.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Monday, December 20, 2004 5:37 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Auto Switching to SSL connection
http://www.ISAserver.org
Jim,
I am in no way suggesting that ISA is IIS. What I am saying is that prior to
any passing of any authentication information the channel between client and
server should be secured if a secure channel is an option. Every other
instance of http and for that matter IMAP, SMTP, and POP (all of the major
protocols that have ssl variants) operate in this way. ISA on the other hand
chooses in the case of the web listener to authenticate first and secure the
channel second.
The point is that if I specify Nofity http users to use https instead under
the traffic tab of web publishing rule: The first check that should be
performed by the rule is has the user specified a secure channel. If not then
an error should be raised. If the rule also requires authentication then that
aspect of the rule should be performed second.
In any context I never said that ISA was a webserver or vise versa. What I
did say is that allowing a user to authenticate over an insecure channel when
a secure channel is available is terriable idea. An idea that I can't see the
justification for.
Bill
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, December 20, 2004 2:32 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Auto Switching to SSL connection
http://www.ISAserver.org
The first concept we need to clarify is this:
IIS isn't ISA and vice versa.
In the context of this discussion, ISA is a web proxy. In no context is it
ever a web server.
Likewise, I wouldn't try to use IIS as a web proxy; witness the train wreck
that was Proxy 1 and 2.
Take a deeper read in the ISA docs; the design and functionality will become
a bit clearer (I hope).
ISA always covers the authentication question FIRST.
..and if you use the resource I linked you to, you can have the redirect you
want.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-----Original Message-----
From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Monday, December 20, 2004 10:34 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Auto Switching to SSL connection
Other related posts:
