RE: Cannot access SSL sites
- From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 2 Dec 2003 01:41:17 +0100
Just dropping in... I think Tom meant that the s&c rule should not
contain any specifics, just the plain target domain name, "not even a
/*" to cite him here. That would mean "full access" to the site defined
in the rule.
Mark
> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> Posted At: Monday, December 01, 2003 3:43 PM
> Posted To: www.isaserver.org
> Conversation: [isalist] RE: Cannot access SSL sites
> Subject: [isalist] RE: Cannot access SSL sites
>
>
> http://www.ISAserver.org
>
> OK, I hear you. But if I tell you that the only difference between 2
> usernames is that the one has an S&C rule with a limited
> destination set
> (which includes the www.<domainname>.co.za that I am trying
> to access), and
> the other has an S&C rule with an "Any Site" S&C Rule, then
> I'd would like
> to hear your thoughts on this.
>
> Tom's comment about users requiring "Full access" to the SSL
> server confuses
> me, as the only Full Access that I can think of is to give
> these users an
> "Any Site" S&C Rule as that is the only difference between
> these users...
> but this doesn't make sense to me.
>
> As you rightly pointed out, 12209 indicates that there was a
> Proxy Auth
> failure, which is maybe what Tom was talking about regarding
> the Full Access
> for SSL, but I'm damned if I know where to investigate this further...
>
> If you have any pearls of wisdom I will gladly accept them :)
>
> Cheers
> William R.
>
> -----Original Message-----
> From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> Sent: 01 December 2003 16:01 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Cannot access SSL sites
>
> http://www.ISAserver.org
>
> Hi William,
>
> I haven't followed the thread as Tom was handling your issue.
> If I can take you back in time, those log entries are pretty
> clear to me:
>
> (first entry): the sc-result code is 10054. This is a
> Winsock response
> meaning the connection, although initially accepted (listener
> responded),
> the connection was dropped (reset) afterwards. Since this
> appears to be an
> SSL connection (SSL-tunnel), there may have been a problem in the SSL
> handshake.
>
> (second entry): the sc-result code is 12209. This is a proxy
> auth failure.
> Since there was no allowed traffic, there is no rule to quote.
>
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
>
>
> On Mon, 1 Dec 2003 09:05:36 +0200
> "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote:
> http://www.ISAserver.org
>
> Jim, it looks like Tom is probably getting some well deserved
> rest as I
> haven't seen a post from him for a few days now. Would you
> perhaps have any
> insight for me into the matter Tom highlighted with regards
> my SSL issue?
> See below for more info...
>
>
> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> Sent: 26 November 2003 08:00 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Cannot access SSL sites
>
> http://www.ISAserver.org
>
> Hi Tom
>
> When you say users require "Full Access" to the SSL Server,
> how would you
> propose I implement this? I can think of no other way to do
> this other than
> giving these users access to a S&C rule that allows ALL
> destinations... and
> this doesn't make sense to me...?
>
> Your thoughts?
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> Sent: 26 November 2003 00:45 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Cannot access SSL sites
>
> http://www.ISAserver.org
>
> Hi William,
>
> Users must have full access to the server to which they create an SSL
> connection because they cannot evaluate the path. If you have
> a path in
> the rule allowing them access, then the connection request fails. Even
> the dreaded /* can create this problem.
>
> HTH,
> Tom
>
> -----Original Message-----
> From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx]
> Sent: Tuesday, November 25, 2003 8:06 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Cannot access SSL sites
>
> http://www.ISAserver.org
>
> Hi there
>
> I have some users who are "not allowed" to access the Internet. But
> being the nice guy I am I managed to get management to approve the
> "opening" of certain sites, such as the medical aid and pension scheme
> websites. So to do this I created an S&C rule to allow the necessary
> destination sets for all Domain Users. The trick with this is that the
> Medical Aid website works just fine, but the Pension website
> doesn't. I
> have now managed to figure out that the problem is related to the fact
> that the Pension website is an HTTPS secure site. In fact, any HTTPS
> site that I "open", the users keep getting prompted for their
> credentials, but any other HTTP website works just fine.
>
> Here are the excerpts from the WEB log (I've removed all the
> unnecessary
> info):
> Medical Aid
> <clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, 15:35:57,
> w3proxy, <FIREWALL>, -, www.sovhealth.co.za, 196.37.176.210, 80, 2953,
> 455, 0, http, TCP, GET,
> http://www.sovhealth.co.za/web/images/background.gif, image/gif, Inet,
> 10054, 0x801002, pWEB Protocols, scWEB - Free Sites
>
> Pension Scheme
> <clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, 15:35:58,
> w3proxy, <FIREWALL>, -, www.mebmac.co.za, -, 443, 0, 0, 0, SSL-tunnel,
> TCP, -, www.mebmac.co.za:443, -, Inet, 12209, 0x0, pWEB Protocols, -
>
> As you can see, the Pension website doesn't find a matching
> Rule 2 (Site
> & Content Rule), and this I cannot understand. Is it possible
> to declare
> HTTP and HTTPS website distinctions in the Destination Sets?
>
> Cheers
> William R.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> robertson.william@xxxxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
> ---------------------------------------------------------------------
> Everything in this e-mail and attachments relating to the official
> business of Columbus Stainless is proprietary to the company. It is
> confidential, legally privileged and protected by law. Columbus
> Stainless does not own and endorse any other content. Views and
> opinions are those of the sender unless clearly stated as being that
> of Columbus Stainless. The person addressed in the e-mail is the sole
> authorised recipient. Please notify the sender immediately if it has
> unintentionally reached you and do not read, disclose or use the
> content in any way. Whilst all reasonable steps are taken to ensure
> the accuracy and integrity of information and data transmitted
> electronically and to preserve the confidentiality thereof, no
> liability or responsibility whatsoever is accepted if information or
> data is,for whatever reason, corrupted or does not reach its intended
> destination.
> ---------------------------------------------------------------------
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: isaserver@xxxxxxxxxxxx
> To unsubscribe send a blank email to
> $subst('Email.Unsub')
>
Other related posts:
