RE: Cannot access SSL sites

• From: "Mark Hippenstiel" <M.Hippenstiel@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 2 Dec 2003 22:16:22 +0100

Thanks Tom, I completely forgot about this implication. Well, I'm not
supposed to remember everything anyway. At least I know whom I can ask
:)



> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
> Posted At: Tuesday, December 02, 2003 12:55 PM
> Posted To: www.isaserver.org
> Conversation: [isalist] RE: Cannot access SSL sites
> Subject: [isalist] RE: Cannot access SSL sites
> 
> 
> http://www.ISAserver.org
> 
> Hi Mark,
> 
> The ISA firewall can't determine that path after the tunnel 
> is created.
> So, if you don't allow access to the entire server (which means NOT
> entering a path), then the request will be denied. Even though /*
> putatively means everything on the server, the ISA firewall doesn't
> interpret this way after the SSL tunnel is established.
> 
> HTH,
> Tom 
> 
> -----Original Message-----
> From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] 
> Sent: Tuesday, December 02, 2003 4:20 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Cannot access SSL sites
> 
> http://www.ISAserver.org
> 
> Jim could you elaborate a bit on the /* problem? Thanks.
> 
> > -----Original Message-----
> > From: Mark Hippenstiel
> > Posted At: Tuesday, December 02, 2003 10:27 AM Posted To: 
> > www.isaserver.org
> > Conversation: [isalist] RE: Cannot access SSL sites
> > Subject: [isalist] RE: Cannot access SSL sites
> > 
> > 
> > http://www.ISAserver.org
> > 
> > Roentgen eyes ;)
> > 
> > But no, I was just explaining what Tom had said.
> > 
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Posted At: Tuesday, 
> > > December 02, 2003 8:09 AM Posted To: www.isaserver.org
> > > Conversation: [isalist] RE: Cannot access SSL sites
> > > Subject: [isalist] RE: Cannot access SSL sites
> > > 
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Did I miss the ISAInfo on this one?
> > > Where did you (Mark) see the /* in the path?
> > > 
> > >  Jim Harrison
> > >  MCP(NT4, W2K), A+, Network+, PCG
> > >  http://www.microsoft.com/isaserver
> > >  http://isaserver.org/Jim_Harrison
> > >  http://isatools.org
> > > 
> > >  Read the help, books and articles!
> > > ----- Original Message -----
> > > From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Monday, December 01, 2003 21:38
> > > Subject: [isalist] RE: Cannot access SSL sites
> > > 
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Kerplunk!!!
> > > <sheepish grin as I haul myself back into my chair>
> > > 
> > > Thanks Mark, that was exactly it. My "limited" 
> destination sets all 
> > > had the "/*" subpath included as I naively thought that 
> this would 
> > > ensure that ALL the possible paths on that domain would then be 
> > > allowed.
> > > Silly me!!! Looks
> > > like it decided to actually restrict as opposed to allow 
> all paths.
> > > 
> > > Would this imply that all destination sets that I use 
> should NOT use
> 
> > > the "/*" option in the subpath? It doesn't make sense to 
> me but hey,
> 
> > > I'm still learning... :)
> > > 
> > > Cheers
> > > William R.
> > > 
> > > -----Original Message-----
> > > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx]
> > > Sent: 02 December 2003 02:41 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Cannot access SSL sites
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Just dropping in... I think Tom meant that the s&c rule 
> should not 
> > > contain any specifics, just the plain target domain name,
> > "not even a
> > > /*" to cite him here. That would mean "full access" to the site 
> > > defined in the rule.
> > > 
> > > Mark
> > > 
> > > > -----Original Message-----
> > > > From: William Robertson 
> [mailto:robertson.william@xxxxxxxxxxxxxx]
> > > > Posted At: Monday, December 01, 2003 3:43 PM Posted To: 
> > > > www.isaserver.org
> > > > Conversation: [isalist] RE: Cannot access SSL sites
> > > > Subject: [isalist] RE: Cannot access SSL sites
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > OK, I hear you. But if I tell you that the only
> > difference between 2
> > > > usernames is that the one has an S&C rule with a limited 
> > > > destination set (which includes the 
> www.<domainname>.co.za that I 
> > > > am trying to access), and the other has an S&C rule 
> with an "Any 
> > > > Site" S&C Rule, then I'd would like to hear your 
> thoughts on this.
> > > >
> > > > Tom's comment about users requiring "Full access" to the SSL 
> > > > server confuses me, as the only Full Access that I can 
> think of is
> 
> > > > to give these users an "Any Site" S&C Rule as that is the only 
> > > > difference between these users...
> > > > but this doesn't make sense to me.
> > > >
> > > > As you rightly pointed out, 12209 indicates that there 
> was a Proxy
> 
> > > > Auth failure, which is maybe what Tom was talking about 
> regarding 
> > > > the Full Access for SSL, but I'm damned if I know where to 
> > > > investigate this
> > > further...
> > > >
> > > > If you have any pearls of wisdom I will gladly accept them :)
> > > >
> > > > Cheers
> > > > William R.
> > > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
> > > > Sent: 01 December 2003 16:01 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Cannot access SSL sites
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Hi William,
> > > >
> > > > I haven't followed the thread as Tom was handling your issue.
> > > > If I can take you back in time, those log entries are 
> pretty clear
> 
> > > > to me:
> > > >
> > > > (first entry): the sc-result code is 10054.  This is a Winsock 
> > > > response meaning the connection, although initially accepted 
> > > > (listener responded), the connection was dropped (reset) 
> > > > afterwards.  Since this appears to be an SSL connection 
> > > > (SSL-tunnel), there may have been a problem
> > > in the SSL
> > > > handshake.
> > > >
> > > > (second entry): the sc-result code is 12209.  This is a 
> proxy auth
> 
> > > > failure.
> > > > Since there was no allowed traffic, there is no rule to quote.
> > > >
> > > >   Jim Harrison
> > > >   MCP(NT4, W2K), A+, Network+, PCG
> > > >   http://isaserver.org/Jim_Harrison/
> > > >   http://isatools.org
> > > >   Read the help / books / articles!
> > > >
> > > >
> > > > On Mon, 1 Dec 2003 09:05:36 +0200
> > > >  "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote:
> > > > http://www.ISAserver.org
> > > >
> > > > Jim, it looks like Tom is probably getting some well 
> deserved rest
> 
> > > > as I haven't seen a post from him for a few days now. Would you 
> > > > perhaps have any insight for me into the matter Tom highlighted 
> > > > with regards my SSL issue?
> > > > See below for more info...
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: William Robertson 
> [mailto:robertson.william@xxxxxxxxxxxxxx]
> > > > Sent: 26 November 2003 08:00 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Cannot access SSL sites
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Hi Tom
> > > >
> > > > When you say users require "Full Access" to the SSL Server, how 
> > > > would you propose I implement this? I can think of no 
> other way to
> 
> > > > do this other than giving these users access to a S&C rule that 
> > > > allows ALL destinations... and this doesn't make sense to me...?
> > > >
> > > > Your thoughts?
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
> > > > Sent: 26 November 2003 00:45 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Cannot access SSL sites
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Hi William,
> > > >
> > > > Users must have full access to the server to which they
> > > create an SSL
> > > > connection because they cannot evaluate the path. If you have a 
> > > > path in the rule allowing them access, then the 
> connection request
> > > fails. Even
> > > > the dreaded /* can create this problem.
> > > >
> > > > HTH,
> > > > Tom
> > > >
> > > > -----Original Message-----
> > > > From: William Robertson 
> [mailto:robertson.william@xxxxxxxxxxxxxx]
> > > > Sent: Tuesday, November 25, 2003 8:06 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] Cannot access SSL sites
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Hi there
> > > >
> > > > I have some users who are "not allowed" to access the
> > Internet. But
> > > > being the nice guy I am I managed to get management to 
> approve the
> 
> > > > "opening" of certain sites, such as the medical aid and
> > > pension scheme
> > > > websites. So to do this I created an S&C rule to allow
> > the necessary
> > > > destination sets for all Domain Users. The trick with this
> > > is that the
> > > > Medical Aid website works just fine, but the Pension website 
> > > > doesn't. I have now managed to figure out that the problem is 
> > > > related
> > > to the fact
> > > > that the Pension website is an HTTPS secure site. In
> > fact, any HTTPS
> > > > site that I "open", the users keep getting prompted for their 
> > > > credentials, but any other HTTP website works just fine.
> > > >
> > > > Here are the excerpts from the WEB log (I've removed all the 
> > > > unnecessary
> > > > info):
> > > > Medical Aid
> > > > <clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, 
> 15:35:57, 
> > > > w3proxy, <FIREWALL>, -, www.sovhealth.co.za,
> > > 196.37.176.210, 80, 2953,
> > > > 455, 0, http, TCP, GET,
> > > > http://www.sovhealth.co.za/web/images/background.gif,
> > > image/gif, Inet,
> > > > 10054, 0x801002, pWEB Protocols, scWEB - Free Sites
> > > >
> > > > Pension Scheme
> > > > <clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, 
> 15:35:58, 
> > > > w3proxy, <FIREWALL>, -, www.mebmac.co.za, -, 443, 0, 0, 0,
> > > SSL-tunnel,
> > > > TCP, -, www.mebmac.co.za:443, -, Inet, 12209, 0x0, pWEB
> > Protocols, -
> > > >
> > > > As you can see, the Pension website doesn't find a 
> matching Rule 2
> 
> > > > (Site & Content Rule), and this I cannot understand. Is it 
> > > > possible to declare HTTP and HTTPS website distinctions in the 
> > > > Destination Sets?
> > > >
> > > > Cheers
> > > > William R.
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter: 
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: 
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org 
> > > > Windows Security Resource Site: http://www.windowsecurity.com/ 
> > > > Network Security Library: http://www.secinf.net/ 
> Windows 2000/NT 
> > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > > Discussion List as:
> > > > jim@xxxxxxxxxxxx
> > > > To unsubscribe send a blank email to 
> > > > $subst('Email.Unsub')
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter: 
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: 
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org 
> > > > Windows Security Resource Site: http://www.windowsecurity.com/ 
> > > > Network Security Library: http://www.secinf.net/ 
> Windows 2000/NT 
> > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > > Discussion List as:
> > > > robertson.william@xxxxxxxxxxxxxx
> > > > To unsubscribe send a blank email to 
> > > > $subst('Email.Unsub')
> > > >
> > > > 
> > > 
> > 
> ---------------------------------------------------------------------
> > > > Everything in this e-mail and attachments relating to 
> the official
> 
> > > > business of Columbus Stainless is proprietary to the
> > company. It is
> > > > confidential, legally privileged and protected by law. Columbus 
> > > > Stainless does not own and endorse any other content. Views and 
> > > > opinions are those of the sender unless clearly stated as
> > being that
> > > > of Columbus Stainless. The person addressed in the e-mail
> > > is the sole
> > > > authorised recipient.  Please notify the sender immediately
> > > if it has
> > > > unintentionally reached you and do not read, disclose 
> or use the 
> > > > content in any way. Whilst all reasonable steps are taken
> > to ensure
> > > > the accuracy and integrity of information and data transmitted 
> > > > electronically and to preserve the confidentiality thereof, no 
> > > > liability or responsibility whatsoever is accepted if
> > information or
> > > > data is,for whatever reason, corrupted or does not reach
> > > its intended
> > > > destination.
> > > > 
> > > 
> > 
> ---------------------------------------------------------------------
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: 
> > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > > > ISA Server Newsletter: 
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: 
> > > http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org 
> > > > Windows Security Resource Site: http://www.windowsecurity.com/ 
> > > > Network Security Library: http://www.secinf.net/ 
> Windows 2000/NT 
> > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org 
> Discussion List
> 
> > > > as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to 
> > > > $subst('Email.Unsub')
> > > >
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org 
> > > Windows Security Resource Site: http://www.windowsecurity.com/ 
> > > Network Security Library: http://www.secinf.net/ Windows 
> 2000/NT Fax
> 
> > > Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > robertson.william@xxxxxxxxxxxxxx
> > > To unsubscribe send a blank email to 
> > > $subst('Email.Unsub')
> > > 
> > > 
> > 
> ---------------------------------------------------------------------
> > > Everything in this e-mail and attachments relating to the 
> official 
> > > business of Columbus Stainless is proprietary to the 
> company. It is 
> > > confidential, legally privileged and protected by law. Columbus 
> > > Stainless does not own and endorse any other content. Views and 
> > > opinions are those of the sender unless clearly stated as 
> being that
> 
> > > of Columbus Stainless. The person addressed in the e-mail
> > is the sole
> > > authorised recipient.  Please notify the sender immediately
> > if it has
> > > unintentionally reached you and do not read, disclose or use the 
> > > content in any way. Whilst all reasonable steps are taken 
> to ensure 
> > > the accuracy and integrity of information and data transmitted 
> > > electronically and to preserve the confidentiality thereof, no 
> > > liability or responsibility whatsoever is accepted if 
> information or
> 
> > > data is,for whatever reason, corrupted or does not reach
> > its intended
> > > destination.
> > > 
> > 
> ---------------------------------------------------------------------
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org 
> > > Windows Security Resource Site: http://www.windowsecurity.com/ 
> > > Network Security Library: http://www.secinf.net/ Windows 
> 2000/NT Fax
> 
> > > Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe send a blank email to 
> > > $subst('Email.Unsub')
> > > 
> > > 
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org 
> > > Windows Security Resource Site: http://www.windowsecurity.com/ 
> > > Network Security Library: http://www.secinf.net/ Windows 
> 2000/NT Fax
> 
> > > Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org 
> Discussion List 
> > > as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to 
> > > $subst('Email.Unsub')
> > > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: 
> http://www.msexchange.org Windows 
> > Security Resource Site: http://www.windowsecurity.com/ Network 
> > Security Library: http://www.secinf.net/ Windows 2000/NT Fax 
> > Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> 
> > isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to 
> > $subst('Email.Unsub')
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
> Security Resource Site: http://www.windowsecurity.com/ 
> Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
> $subst('Email.Unsub')
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: isaserver@xxxxxxxxxxxx
> To unsubscribe send a blank email to 
> $subst('Email.Unsub')
> 

Other related posts:

• » Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites

1. Home
2. isalist
3. Archive
4. 12-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---