Thanks Tom, I completely forgot about this implication. Well, I'm not supposed to remember everything anyway. At least I know whom I can ask :) > -----Original Message----- > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > Posted At: Tuesday, December 02, 2003 12:55 PM > Posted To: www.isaserver.org > Conversation: [isalist] RE: Cannot access SSL sites > Subject: [isalist] RE: Cannot access SSL sites > > > http://www.ISAserver.org > > Hi Mark, > > The ISA firewall can't determine that path after the tunnel > is created. > So, if you don't allow access to the entire server (which means NOT > entering a path), then the request will be denied. Even though /* > putatively means everything on the server, the ISA firewall doesn't > interpret this way after the SSL tunnel is established. > > HTH, > Tom > > -----Original Message----- > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] > Sent: Tuesday, December 02, 2003 4:20 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: Cannot access SSL sites > > http://www.ISAserver.org > > Jim could you elaborate a bit on the /* problem? Thanks. > > > -----Original Message----- > > From: Mark Hippenstiel > > Posted At: Tuesday, December 02, 2003 10:27 AM Posted To: > > www.isaserver.org > > Conversation: [isalist] RE: Cannot access SSL sites > > Subject: [isalist] RE: Cannot access SSL sites > > > > > > http://www.ISAserver.org > > > > Roentgen eyes ;) > > > > But no, I was just explaining what Tom had said. > > > > > -----Original Message----- > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Posted At: Tuesday, > > > December 02, 2003 8:09 AM Posted To: www.isaserver.org > > > Conversation: [isalist] RE: Cannot access SSL sites > > > Subject: [isalist] RE: Cannot access SSL sites > > > > > > > > > http://www.ISAserver.org > > > > > > Did I miss the ISAInfo on this one? > > > Where did you (Mark) see the /* in the path? > > > > > > Jim Harrison > > > MCP(NT4, W2K), A+, Network+, PCG > > > http://www.microsoft.com/isaserver > > > http://isaserver.org/Jim_Harrison > > > http://isatools.org > > > > > > Read the help, books and articles! > > > ----- Original Message ----- > > > From: "William Robertson" <robertson.william@xxxxxxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Monday, December 01, 2003 21:38 > > > Subject: [isalist] RE: Cannot access SSL sites > > > > > > > > > http://www.ISAserver.org > > > > > > Kerplunk!!! > > > <sheepish grin as I haul myself back into my chair> > > > > > > Thanks Mark, that was exactly it. My "limited" > destination sets all > > > had the "/*" subpath included as I naively thought that > this would > > > ensure that ALL the possible paths on that domain would then be > > > allowed. > > > Silly me!!! Looks > > > like it decided to actually restrict as opposed to allow > all paths. > > > > > > Would this imply that all destination sets that I use > should NOT use > > > > the "/*" option in the subpath? It doesn't make sense to > me but hey, > > > > I'm still learning... :) > > > > > > Cheers > > > William R. > > > > > > -----Original Message----- > > > From: Mark Hippenstiel [mailto:M.Hippenstiel@xxxxxxxxxxxx] > > > Sent: 02 December 2003 02:41 AM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: Cannot access SSL sites > > > > > > http://www.ISAserver.org > > > > > > Just dropping in... I think Tom meant that the s&c rule > should not > > > contain any specifics, just the plain target domain name, > > "not even a > > > /*" to cite him here. That would mean "full access" to the site > > > defined in the rule. > > > > > > Mark > > > > > > > -----Original Message----- > > > > From: William Robertson > [mailto:robertson.william@xxxxxxxxxxxxxx] > > > > Posted At: Monday, December 01, 2003 3:43 PM Posted To: > > > > www.isaserver.org > > > > Conversation: [isalist] RE: Cannot access SSL sites > > > > Subject: [isalist] RE: Cannot access SSL sites > > > > > > > > > > > > http://www.ISAserver.org > > > > > > > > OK, I hear you. But if I tell you that the only > > difference between 2 > > > > usernames is that the one has an S&C rule with a limited > > > > destination set (which includes the > www.<domainname>.co.za that I > > > > am trying to access), and the other has an S&C rule > with an "Any > > > > Site" S&C Rule, then I'd would like to hear your > thoughts on this. > > > > > > > > Tom's comment about users requiring "Full access" to the SSL > > > > server confuses me, as the only Full Access that I can > think of is > > > > > to give these users an "Any Site" S&C Rule as that is the only > > > > difference between these users... > > > > but this doesn't make sense to me. > > > > > > > > As you rightly pointed out, 12209 indicates that there > was a Proxy > > > > > Auth failure, which is maybe what Tom was talking about > regarding > > > > the Full Access for SSL, but I'm damned if I know where to > > > > investigate this > > > further... > > > > > > > > If you have any pearls of wisdom I will gladly accept them :) > > > > > > > > Cheers > > > > William R. > > > > > > > > -----Original Message----- > > > > From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] > > > > Sent: 01 December 2003 16:01 PM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: Cannot access SSL sites > > > > > > > > http://www.ISAserver.org > > > > > > > > Hi William, > > > > > > > > I haven't followed the thread as Tom was handling your issue. > > > > If I can take you back in time, those log entries are > pretty clear > > > > > to me: > > > > > > > > (first entry): the sc-result code is 10054. This is a Winsock > > > > response meaning the connection, although initially accepted > > > > (listener responded), the connection was dropped (reset) > > > > afterwards. Since this appears to be an SSL connection > > > > (SSL-tunnel), there may have been a problem > > > in the SSL > > > > handshake. > > > > > > > > (second entry): the sc-result code is 12209. This is a > proxy auth > > > > > failure. > > > > Since there was no allowed traffic, there is no rule to quote. > > > > > > > > Jim Harrison > > > > MCP(NT4, W2K), A+, Network+, PCG > > > > http://isaserver.org/Jim_Harrison/ > > > > http://isatools.org > > > > Read the help / books / articles! > > > > > > > > > > > > On Mon, 1 Dec 2003 09:05:36 +0200 > > > > "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote: > > > > http://www.ISAserver.org > > > > > > > > Jim, it looks like Tom is probably getting some well > deserved rest > > > > > as I haven't seen a post from him for a few days now. Would you > > > > perhaps have any insight for me into the matter Tom highlighted > > > > with regards my SSL issue? > > > > See below for more info... > > > > > > > > > > > > -----Original Message----- > > > > From: William Robertson > [mailto:robertson.william@xxxxxxxxxxxxxx] > > > > Sent: 26 November 2003 08:00 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: Cannot access SSL sites > > > > > > > > http://www.ISAserver.org > > > > > > > > Hi Tom > > > > > > > > When you say users require "Full Access" to the SSL Server, how > > > > would you propose I implement this? I can think of no > other way to > > > > > do this other than giving these users access to a S&C rule that > > > > allows ALL destinations... and this doesn't make sense to me...? > > > > > > > > Your thoughts? > > > > > > > > > > > > -----Original Message----- > > > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] > > > > Sent: 26 November 2003 00:45 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] RE: Cannot access SSL sites > > > > > > > > http://www.ISAserver.org > > > > > > > > Hi William, > > > > > > > > Users must have full access to the server to which they > > > create an SSL > > > > connection because they cannot evaluate the path. If you have a > > > > path in the rule allowing them access, then the > connection request > > > fails. Even > > > > the dreaded /* can create this problem. > > > > > > > > HTH, > > > > Tom > > > > > > > > -----Original Message----- > > > > From: William Robertson > [mailto:robertson.william@xxxxxxxxxxxxxx] > > > > Sent: Tuesday, November 25, 2003 8:06 AM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] Cannot access SSL sites > > > > > > > > http://www.ISAserver.org > > > > > > > > Hi there > > > > > > > > I have some users who are "not allowed" to access the > > Internet. But > > > > being the nice guy I am I managed to get management to > approve the > > > > > "opening" of certain sites, such as the medical aid and > > > pension scheme > > > > websites. So to do this I created an S&C rule to allow > > the necessary > > > > destination sets for all Domain Users. The trick with this > > > is that the > > > > Medical Aid website works just fine, but the Pension website > > > > doesn't. I have now managed to figure out that the problem is > > > > related > > > to the fact > > > > that the Pension website is an HTTPS secure site. In > > fact, any HTTPS > > > > site that I "open", the users keep getting prompted for their > > > > credentials, but any other HTTP website works just fine. > > > > > > > > Here are the excerpts from the WEB log (I've removed all the > > > > unnecessary > > > > info): > > > > Medical Aid > > > > <clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, > 15:35:57, > > > > w3proxy, <FIREWALL>, -, www.sovhealth.co.za, > > > 196.37.176.210, 80, 2953, > > > > 455, 0, http, TCP, GET, > > > > http://www.sovhealth.co.za/web/images/background.gif, > > > image/gif, Inet, > > > > 10054, 0x801002, pWEB Protocols, scWEB - Free Sites > > > > > > > > Pension Scheme > > > > <clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, > 15:35:58, > > > > w3proxy, <FIREWALL>, -, www.mebmac.co.za, -, 443, 0, 0, 0, > > > SSL-tunnel, > > > > TCP, -, www.mebmac.co.za:443, -, Inet, 12209, 0x0, pWEB > > Protocols, - > > > > > > > > As you can see, the Pension website doesn't find a > matching Rule 2 > > > > > (Site & Content Rule), and this I cannot understand. Is it > > > > possible to declare HTTP and HTTPS website distinctions in the > > > > Destination Sets? > > > > > > > > Cheers > > > > William R. > > > > > > > > ------------------------------------------------------ > > > > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > ------------------------------------------------------ > > > > Other Internet Software Marketing Sites: > > > > Leading Network Software Directory: http://www.serverfiles.com > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > > Network Security Library: http://www.secinf.net/ > Windows 2000/NT > > > > Fax Solutions: http://www.ntfaxfaq.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org > > > Discussion List as: > > > > jim@xxxxxxxxxxxx > > > > To unsubscribe send a blank email to > > > > $subst('Email.Unsub') > > > > > > > > ------------------------------------------------------ > > > > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > ------------------------------------------------------ > > > > Other Internet Software Marketing Sites: > > > > Leading Network Software Directory: http://www.serverfiles.com > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > > Network Security Library: http://www.secinf.net/ > Windows 2000/NT > > > > Fax Solutions: http://www.ntfaxfaq.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org > > > Discussion List as: > > > > robertson.william@xxxxxxxxxxxxxx > > > > To unsubscribe send a blank email to > > > > $subst('Email.Unsub') > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > Everything in this e-mail and attachments relating to > the official > > > > > business of Columbus Stainless is proprietary to the > > company. It is > > > > confidential, legally privileged and protected by law. Columbus > > > > Stainless does not own and endorse any other content. Views and > > > > opinions are those of the sender unless clearly stated as > > being that > > > > of Columbus Stainless. The person addressed in the e-mail > > > is the sole > > > > authorised recipient. Please notify the sender immediately > > > if it has > > > > unintentionally reached you and do not read, disclose > or use the > > > > content in any way. Whilst all reasonable steps are taken > > to ensure > > > > the accuracy and integrity of information and data transmitted > > > > electronically and to preserve the confidentiality thereof, no > > > > liability or responsibility whatsoever is accepted if > > information or > > > > data is,for whatever reason, corrupted or does not reach > > > its intended > > > > destination. > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > > ------------------------------------------------------ > > > > List Archives: > > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: > > > http://www.isaserver.org/pages/larticle.asp?type=3DFAQ > > > > ------------------------------------------------------ > > > > Other Internet Software Marketing Sites: > > > > Leading Network Software Directory: http://www.serverfiles.com > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > > Network Security Library: http://www.secinf.net/ > Windows 2000/NT > > > > Fax Solutions: http://www.ntfaxfaq.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org > Discussion List > > > > > as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to > > > > $subst('Email.Unsub') > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ Windows > 2000/NT Fax > > > > Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > robertson.william@xxxxxxxxxxxxxx > > > To unsubscribe send a blank email to > > > $subst('Email.Unsub') > > > > > > > > > --------------------------------------------------------------------- > > > Everything in this e-mail and attachments relating to the > official > > > business of Columbus Stainless is proprietary to the > company. It is > > > confidential, legally privileged and protected by law. Columbus > > > Stainless does not own and endorse any other content. Views and > > > opinions are those of the sender unless clearly stated as > being that > > > > of Columbus Stainless. The person addressed in the e-mail > > is the sole > > > authorised recipient. Please notify the sender immediately > > if it has > > > unintentionally reached you and do not read, disclose or use the > > > content in any way. Whilst all reasonable steps are taken > to ensure > > > the accuracy and integrity of information and data transmitted > > > electronically and to preserve the confidentiality thereof, no > > > liability or responsibility whatsoever is accepted if > information or > > > > data is,for whatever reason, corrupted or does not reach > > its intended > > > destination. > > > > > > --------------------------------------------------------------------- > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ Windows > 2000/NT Fax > > > > Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > > Discussion List as: > > > jim@xxxxxxxxxxxx > > > To unsubscribe send a blank email to > > > $subst('Email.Unsub') > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Other Internet Software Marketing Sites: > > > Leading Network Software Directory: http://www.serverfiles.com > > > No.1 Exchange Server Resource Site: http://www.msexchange.org > > > Windows Security Resource Site: http://www.windowsecurity.com/ > > > Network Security Library: http://www.secinf.net/ Windows > 2000/NT Fax > > > > Solutions: http://www.ntfaxfaq.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org > Discussion List > > > as: isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to > > > $subst('Email.Unsub') > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Other Internet Software Marketing Sites: > > Leading Network Software Directory: http://www.serverfiles.com > > No.1 Exchange Server Resource Site: > http://www.msexchange.org Windows > > Security Resource Site: http://www.windowsecurity.com/ Network > > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > > Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org > Discussion List as: > > > isaserver@xxxxxxxxxxxx To unsubscribe send a blank email to > > $subst('Email.Unsub') > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ > Network Security > Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: > http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to > $subst('Email.Unsub') > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > Leading Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org > Windows Security Resource Site: http://www.windowsecurity.com/ > Network Security Library: http://www.secinf.net/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: isaserver@xxxxxxxxxxxx > To unsubscribe send a blank email to > $subst('Email.Unsub') >