RE: Auto Switching to SSL connection

  • From: "William Holmes" <wtholmes@xxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 20 Dec 2004 13:33:41 -0500

Hello,

Lets start with by second point below:  If a rule requires SSL .AND.
Authentication SSL should Always be applied first. Please give me a scenario
where this should not be true.

IIS always does SSL first followed by Authentication. Given a Listener that
can do both open connections and ssl connections ISA does Authentication
first followed by SSL. I would love an explanation on this decision.

Now moving on:

An ISA 2004 Listener supports both http and https simultaneously. If I don't
need the granularity your talking of (which I am really not sure what it
could do for me anyway); Why should I have the overhead of two publishing
rules for each site. That doubles the maintenance of given rule. I don't see
what this buys me other than increased complexity.

Finally in my case having two listeners doesn't even solve the problem I wish
to solve. I still need to have a re-direct. It's a real simple 1 to 1
redirect http://*  -> https://*  to be sure but in order to have it first
re-direct to https:// I need to setup a new listener that will listen on
http: and the intelligently re-direct to https: on another listener. Doable
but cumbersome.  As they stand neither of the the html pages presented in the
isa_redirects.zip file will acomplish a genereic redirect form
http://mysite/secureArea/* to https://mysite/secureArea/*. 


Bill


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Monday, December 20, 2004 12:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Auto Switching to SSL connection

http://www.ISAserver.org

Hi William,

Why not create two listeners? That was one of the great improvements in the
new ISA firewal and its served me very well in allowing me to customize the
auth and security requirements in a more granular fashsion. The ISA Server
2000 method was a PIA, as the same settings were applied to SSL and non-SSL.
NOT good! 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Monday, December 20, 2004 11:23 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Auto Switching to SSL connection

http://www.ISAserver.org

Hello,

I'm sorry but this doesn't make a lot of sense to me. In order to do what I
am after I would need two rules for every site that I wish to use secure
authentication for.

Publish Rule #1 A rule that lives on an HTTP only listener that does not
require athentication that redirects to Rule#2 Publish Rule #2 A rule that
lives on an HTTPS only listener and requires authentication.

It also requires two listeners when it should not (IMO) be necessary.
Two
Listeners mean two rules for each published site. One for SSL and one
without.

This is extermemly cumbersome and increases the TCO of ISA-2004 when used for
web publishing.

There appear to be two fundamental flaws in the design of web publishing. 

1. Microsoft saw fit to add the Notify HTTP users to use HTTPS instead.
Why
not just do the redirect to https (assuming the listener has been configured
for https). Do not pester the user with a stupid error message. Just
transparently re-direct the user.

2. When a Web Publishing rule requires both authentication and SSL, SSL
should ALWAYS be applied first. Just like IIS does. On IIS if a page requires
both SSL and Authentication SSL is always applied first. If you specify
http:// it will respond with HTTP Error 403.4 - Forbidden: SSL is required to
view this resource. Entering https:// will eliminate the 403.4 and if the
page requires authentication you will be prompted over the SSL channel.

On ISA if a publishing rule requires authentication and SSL you will first be
required to authenticate over the clear channel and only then given the error
message Error Code: 403 Forbidden This page msust be viewed over a secure
channel (Secure Sockets Layer (SSL)).  Contact the server administrator.
(12211). Unfortunately your credentials have just passed between the browser
and the ISA server in the clear. IIS has it correct ISA has it wrong.

The first point is a nicity. The second is a necessity. I(SECURITY)A server
should make every effort to be as secure as possible. If an Administrator
specifies a web publishing rule require SSL that should be the fist thing
applied when a rule matches.  I think it should happen transparently (or at
least that should be one choice) but even if there is some reasons that it
should not happen transparetnly it should still be applied prior to any
further processing of a publishing rule.

I hope the Microsoft Developers are Listening.


Bill

 



-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Saturday, December 18, 2004 12:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Auto Switching to SSL connection

http://www.ISAserver.org

Create two listeners; one using HTTP (TCP:80) and the other using HTTPS
(TCP:443).
Set the HTTP listener to be anonymous and the SSL listener to use
authentication.
Uncheck "require authentication" on both.
Use your rules to determine what, if any authentication is required.


  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 
-----Original Message-----
From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Saturday, December 18, 2004 7:22 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Auto Switching to SSL connection

http://www.ISAserver.org

Hello,

Thease are very handy but they don't do quite what I want. The problem is
that ISA is still requesting a password before it will display the page and
generate the error. I want to go to SSL prior to ISA prompting for a
password. 

user requests http://myserver/securpage

        redirect --> https://myserver/securepage
        prompt for credentials.


What happens now:

user requests http://myserver/securepage
        prompt for credentials
        error is generated
        the scripts you pointed me to re-direct -->
https://myserver/securepage


The other issue is that I would like to be able to give out direct links
things like http://myserver/securepage/foo/bar/ and have it first redirected
to https://myserver/securepage/foo/bar.

The issue is that users who browse this site from and internal network don't
get prompted for passwords. Those who browse from outside do. I want the
authentication handshake to be in SSL. 

I am using Radius so the passwords between the client and the isa server are
running in the clear unless I use ssl.


Any suggestions?


Thanks

Bill 

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Saturday, December 18, 2004 1:02 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Auto Switching to SSL connection

http://www.ISAserver.org

http://isatools.org/isa_redirects.zip includes two separate examples and a
set of instructions on how to use each.


  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 

-----Original Message-----
From: William Holmes [mailto:wtholmes@xxxxxxxxxxxxxx]
Sent: Friday, December 17, 2004 8:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Auto Switching to SSL connection

http://www.ISAserver.org

Hello,

With ISA 2004 is there a way to configure a rule that will switch the user to
ssl ? What I would like is requests for http://mysite.com/foo  to be swithced
to https://mysite.com/foo.  I don't see any obvious way to do this. The
reason for doing this is that the publishing rule is setup for authentication
and I obviously would like that to be secure. So I would like the SSL switch
to take place before the authentication. 

Thanks

Bill

William Holmes (MCP)
Department of Computer Science
310 Upson Hall
Cornell University
Ithaca, NY 14853
wtholmes@xxxxxxxxxxxxxx
607 255-1757 (o) 607 227-6049 (c)
 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wtholmes@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wtholmes@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading Network
Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wtholmes@xxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: