RE: Cannot access SSL sites

• From: Jim Harrison <jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 01 Dec 2003 06:00:40 -0800

Hi William,

I haven't followed the thread as Tom was handling your issue.
If I can take you back in time, those log entries are pretty clear to me:

(first entry): the sc-result code is 10054.  This is a Winsock response meaning 
the connection, although initially accepted (listener responded), the 
connection was dropped (reset) afterwards.  Since this appears to be an SSL 
connection (SSL-tunnel), there may have been a problem in the SSL handshake.

(second entry): the sc-result code is 12209.  This is a proxy auth failure.  
Since there was no allowed traffic, there is no rule to quote.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!


On Mon, 1 Dec 2003 09:05:36 +0200
 "William Robertson" <robertson.william@xxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org

Jim, it looks like Tom is probably getting some well deserved rest as I
haven't seen a post from him for a few days now. Would you perhaps have any
insight for me into the matter Tom highlighted with regards my SSL issue?
See below for more info...


-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: 26 November 2003 08:00 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cannot access SSL sites

http://www.ISAserver.org

Hi Tom

When you say users require "Full Access" to the SSL Server, how would you
propose I implement this? I can think of no other way to do this other than
giving these users access to a S&C rule that allows ALL destinations... and
this doesn't make sense to me...?

Your thoughts?


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: 26 November 2003 00:45 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Cannot access SSL sites

http://www.ISAserver.org

Hi William,

Users must have full access to the server to which they create an SSL
connection because they cannot evaluate the path. If you have a path in
the rule allowing them access, then the connection request fails. Even
the dreaded /* can create this problem.

HTH,
Tom 

-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: Tuesday, November 25, 2003 8:06 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Cannot access SSL sites

http://www.ISAserver.org

Hi there

I have some users who are "not allowed" to access the Internet. But
being the nice guy I am I managed to get management to approve the
"opening" of certain sites, such as the medical aid and pension scheme
websites. So to do this I created an S&C rule to allow the necessary
destination sets for all Domain Users. The trick with this is that the
Medical Aid website works just fine, but the Pension website doesn't. I
have now managed to figure out that the problem is related to the fact
that the Pension website is an HTTPS secure site. In fact, any HTTPS
site that I "open", the users keep getting prompted for their
credentials, but any other HTTP website works just fine.

Here are the excerpts from the WEB log (I've removed all the unnecessary
info):
Medical Aid
<clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, 15:35:57,
w3proxy, <FIREWALL>, -, www.sovhealth.co.za, 196.37.176.210, 80, 2953,
455, 0, http, TCP, GET,
http://www.sovhealth.co.za/web/images/background.gif, image/gif, Inet,
10054, 0x801002, pWEB Protocols, scWEB - Free Sites

Pension Scheme
<clientIP>, WillTest, Mozilla/4.0 etc etc, 11/25/2003, 15:35:58,
w3proxy, <FIREWALL>, -, www.mebmac.co.za, -, 443, 0, 0, 0, SSL-tunnel,
TCP, -, www.mebmac.co.za:443, -, Inet, 12209, 0x0, pWEB Protocols, -

As you can see, the Pension website doesn't find a matching Rule 2 (Site
& Content Rule), and this I cannot understand. Is it possible to declare
HTTP and HTTPS website distinctions in the Destination Sets?

Cheers
William R.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites
• » RE: Cannot access SSL sites

1. Home
2. isalist
3. Archive
4. 12-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---