Just dropping in... I think Tom meant that the s&c rule should not contain any specifics, just the plain target domain name, "not even a /*" to cite him here. That would mean "full access" to the site defined in the rule. Mark > -----Original Message----- > From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] > Posted At: Monday, December 01, 2003 3:43 PM > Posted To: www.isaserver.org > Conversation: [isalist] RE: Cannot access SSL sites > Subject: [isalist] RE: Cannot access SSL sites > > > http://www.ISAserver.org > > OK, I hear you. But if I tell you that the only difference between 2 > usernames is that the one has an S&C rule with a limited > destination set > (which includes the www.<domainname>.co.za that I am trying > to access), and > the other has an S&C rule with an "Any Site" S&C Rule, then > I'd would like > to hear your thoughts on this. > > Tom's comment about users requiring "Full access" to the SSL > server confuses > me, as the only Full Access that I can think of is to give > these users an > "Any Site" S&C Rule as that is the only difference between > these users... > but this doesn't make sense to me. > > As you rightly pointed out, 12209 indicates that there was a > Proxy Auth > failure, which is maybe what Tom was talking about regarding > the Full Access > for SSL, but I'm damned if I know where to investigate this further... > > If you have any pearls of wisdom I will gladly accept them :) > > Cheers > William R. > > -----Original Message----- > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > Sent: 01 December 2003 16:01 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Cannot access SSL sites > > http://www.ISAserver.org > > Hi William, > > I haven't followed the thread as Tom was handling your issue. > If I can take you back in time, those log entries are pretty > clear to me: > > (first entry): the sc-result code is 10054. This is a > Winsock response > meaning the connection, although initially accepted (listener > responded), > the connection was dropped (reset) afterwards. Since this > appears to be an > SSL connection (SSL-tunnel), there may have been a problem in the SSL > handshake. > > (second entry): the sc-result code is 12209. This is a proxy > auth failure. > Since there was no allowed traffic, there is no rule to quote. > > Jim Harrison > MCP(NT4, W2K), A+, Network+, PCG > http://isaserver.org/Jim_Harrison/ > http://isatools.org > Read the help / books / articles! > > > On Mon, 1 Dec 2003 09:05:36 +0200 > "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote: > http://www.ISAserver.org > > Jim, it looks like Tom is probably getting some well deserved > rest as I > haven't seen a post from him for a few days now. Would you > perhaps have any > insight for me into the matter Tom highlighted with regards > my SSL issue? > See below for more info... > > > -----Original Message----- > From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] > Sent: 26 November 2003 08:00 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Cannot access SSL sites > > http://www.ISAserver.org > > Hi Tom > > When you say users require "Full Access" to the SSL Server, > how would you > propose I implement this? I can think of no other way to do > this other than > giving these users access to a S&C rule that allows ALL > destinations... and > this doesn't make sense to me...? > > Your thoughts? > > > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Sent: 26 November 2003 00:45 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Cannot access SSL sites > > http://www.ISAserver.org > > Hi William, > > Users must have full access to the server to which they create an SSL > connection because they cannot evaluate the path. If you have > a path in > the rule allowing them access, then the connection request fails. Even > the dreaded /* can create this problem. > > HTH, > Tom > > -----Original Message----- > From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] > Sent: Tuesday, November 25, 2003 8:06 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] Cannot access SSL sites > > http://www.ISAserver.org > > Hi there > > I have some users who are "not allowed" to access the Internet. But > being the nice guy I am I managed to get management to approve the > "opening" of certain sites, such as the medical aid and pension scheme > websites. So to do this I created an S&C rule to allow the necessary > destination sets for all Domain Users. The trick with this is that the > Medical Aid website works just fine, but the Pension website > doesn't. I > have now managed to figure out that the problem is related to the fact > that the Pension website is an HTTPS secure site. In fact, any HTTPS > site that I "open", the users keep getting prompted for their > credentials, but any other HTTP website works just fine. > > Here are the excerpts from the WEB log (I've removed all the > unnecessary > info): > Medical Aid > <clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, 15:35:57, > w3proxy, <FIREWALL>, -, www.sovhealth.co.za, 196.37.176.210, 80, 2953, > 455, 0, http, TCP, GET, > http://www.sovhealth.co.za/web/images/background.gif, image/gif, Inet, > 10054, 0x801002, pWEB Protocols, scWEB - Free Sites > > Pension Scheme > <clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, 15:35:58, > w3proxy, <FIREWALL>, -, www.mebmac.co.za, -, 443, 0, 0, 0, SSL-tunnel, > TCP, -, www.mebmac.co.za:443, -, Inet, 12209, 0x0, pWEB Protocols, - > > As you can see, the Pension website doesn't find a matching > Rule 2 (Site > & Content Rule), and this I cannot understand. Is it possible > to declare > HTTP and HTTPS website distinctions in the Destination Sets? > > Cheers > William R. > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > jim@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > robertson.william@xxxxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') > > --------------------------------------------------------------------- > Everything in this e-mail and attachments relating to the official > business of Columbus Stainless is proprietary to the company. It is > confidential, legally privileged and protected by law. Columbus > Stainless does not own and endorse any other content. Views and > opinions are those of the sender unless clearly stated as being that > of Columbus Stainless. The person addressed in the e-mail is the sole > authorised recipient. Please notify the sender immediately if it has > unintentionally reached you and do not read, disclose or use the > content in any way. Whilst all reasonable steps are taken to ensure > the accuracy and integrity of information and data transmitted > electronically and to preserve the confidentiality thereof, no > liability or responsibility whatsoever is accepted if information or > data is,for whatever reason, corrupted or does not reach its intended > destination. > --------------------------------------------------------------------- > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: isaserver@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') >