[isalist] Re: Cert for OWA
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sat, 20 May 2006 09:11:25 -0500
http://www.ISAserver.org
-------------------------------------------------------
I read someone that application layer inspection firewalls are actually
able to take information in the application layer headers and data and
make intelligent decisions based on that data. Yes, I remember now, I
wrote a 1000+ book about it and the solution is in there. Go to the Web
Publishing chapter. You'll solve all these SSL problems and the current
one.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew English
> Sent: Saturday, May 20, 2006 9:13 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Cert for OWA
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Yes but if the request is for the following website is
> www.autosoldnow.com how does it know under the web server publishing
> rule that anything with /exchange goes to serverA while anything with
> /ssapp/asn.html goes to serverB?
>
> Andrew
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Saturday, May 20, 2006 2:06 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Cert for OWA
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> You
> Don't
>
> You create two separate rules, Andy.
>
>
> -------------------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> -------------------------------------------------------
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Andrew English
> Sent: Friday, May 19, 2006 20:49
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Cert for OWA
>
> Uhm okay Jim so how to I tell ISA the following under one
> server publish
> website rule?
>
>
>
> https://www.autosoldnow.com/ssapp/asn.html goes to 192.168.1.10
>
> https://www.autsoldnow.com/exchange goes to 192.168.1.2
>
>
>
> Andrew
>
>
>
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Friday, May 19, 2006 9:05 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Cert for OWA
>
>
>
> http://www.ISAserver.org
>
> -------------------------------------------------------
>
>
>
> ..so don't use the same listener for both sites.
>
> C'mon, Andy - take a moment to think it through.
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>
> On Behalf Of Andrew English
>
> Sent: Friday, May 19, 2006 4:38 PM
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: [isalist] Re: Cert for OWA
>
>
>
> http://www.ISAserver.org
>
> -------------------------------------------------------
>
>
>
>
>
> The problem Jim is there web site doesn't use IIS it uses
> Jboss which is
>
> a Java Application Server, normally Jboss sits on Tomcat but this time
>
> around there isn't any Tomcat running so I am not sure what the script
>
> kiddies have done. There is no Tomcat server running under
> services.msc,
>
> there is no apache running anywhere, it all runs from one box.
>
>
>
> The second box of course runs Exchange 2003 on top of AD which doesn't
>
> want swing for me without telling me that the version of AD is not the
>
> same as the other 2003 server even though I raised the domain
> and forest
>
> levels to 2003.
>
>
>
> Andrew
>
>
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>
> On Behalf Of Jim Harrison
>
> Sent: Friday, May 19, 2006 5:59 PM
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: [isalist] Re: Cert for OWA
>
>
>
> http://www.ISAserver.org
>
> -------------------------------------------------------
>
>
>
> This is called "redirect to HTTPS" and is supported in IIS.
>
> You can even do it with ISA if you use the isa_redirects package I
>
> built.
>
>
>
>
>
> -------------------------------------------------------
>
> Jim Harrison
>
> MCP(NT4, W2K), A+, Network+, PCG
>
> http://isaserver.org/Jim_Harrison/
>
> http://isatools.org
>
> Read the help / books / articles!
>
> -------------------------------------------------------
>
>
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>
> On Behalf Of Andrew English
>
> Sent: Friday, May 19, 2006 15:08
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: [isalist] Re: Cert for OWA
>
>
>
> http://www.ISAserver.org
>
> -------------------------------------------------------
>
>
>
>
>
> As for OWA we are in the process of buying a separate cert
> for that. As
>
> before what was happening is the had their Linux box flipping the HTTP
>
> to HTTPS for both the web and exchange site which both run on two
>
> different LAN servers. Since the dealers themselves are too computer
>
> illiterate to know what Internet Explorer is let alone where
> the Address
>
> bar is located we had to keep the cert for the web site and
> flip to HTTP
>
> so that portions of the site what stopped working when the cert was
>
> originally installed can function normally again.
>
>
>
> Andrew
>
>
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>
> On Behalf Of Jim Harrison
>
> Sent: Friday, May 19, 2006 5:47 PM
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: [isalist] Re: Cert for OWA
>
>
>
> http://www.ISAserver.org
>
> -------------------------------------------------------
>
>
>
> ..then the subject is irrelevant to the question?
>
> "Cert for OWA" seems to indicate to the rest of us that this was about
>
> OWA publishing.
>
>
>
>
>
> -------------------------------------------------------
>
> Jim Harrison
>
> MCP(NT4, W2K), A+, Network+, PCG
>
> http://isaserver.org/Jim_Harrison/
>
> http://isatools.org
>
> Read the help / books / articles!
>
> -------------------------------------------------------
>
>
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>
> On Behalf Of Andrew English
>
> Sent: Friday, May 19, 2006 14:49
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: [isalist] Re: Cert for OWA
>
>
>
> Ah no.
>
>
>
>
>
>
>
> The username and passwords are only contained within the site itself,
>
> they are not associated to AD in anyway shape or form. So if someone
>
> wants to see what dealerA has sold on the network be my guess, but
>
> they're login name and password don't work where else but on the
>
> website.
>
>
>
>
>
>
>
> Andrew
>
>
>
>
>
>
>
>
>
>
>
> ________________________________
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
>
> On Behalf Of Mark Morgan
>
> Sent: Friday, May 19, 2006 5:18 PM
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: [isalist] Re: Cert for OWA
>
>
>
>
>
>
>
> It really does not mater if there is not personal or confidential info
>
> on the site, if you pass the user id and password via http the user
>
> domain credentials can be compromised, which someone could then use to
>
> login to VPN etc.
>
>
>
>
>
>
>
> -----Original Message-----
>
> From: isalist-bounce@xxxxxxxxxxxxx
>
> [mailto:isalist-bounce@xxxxxxxxxxxxx]On Behalf Of Andrew English
>
> Sent: Friday, May 19, 2006 12:56 PM
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: RE: [isalist] Re: Cert for OWA
>
>
>
> Hi Gerald,
>
>
>
>
>
>
>
> Thanks for the bit of information as it never
> crossed my mind
>
> that without SSL installed usernames and passwords are sent in clear
>
> text format.
>
>
>
>
>
>
>
> Actually the site is more broken with the SSL
> enabled then it
> is
>
> without it. So I am not too worried as it changing to a different
>
> front-end/back-end within the coming months which will switch back to
>
> using SSL. It's more important if people can access the site correctly
>
> now then to have them calling us everyday asking what's wrong, and yes
>
> we are aware the trade off it has, but since the site doesn't contain
>
> and personal or confidential information we are not too
> worried about.
>
>
>
>
>
>
>
> Regards,
>
>
>
> Andrew
>
>
>
>
>
>
>
>
>
> ________________________________
>
>
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx on behalf of
> Young, Gerald
> G
>
> Sent: Fri 19/05/2006 3:16 PM
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: [isalist] Re: Cert for OWA
>
>
>
> How are you connecting then?
>
>
>
>
>
>
>
> https:// is for SSL.
>
>
>
> http:// does not use SSL or the certificate you just
> installed.
>
>
>
>
>
>
>
> I hope you're not planning on authenticating users over just
> an
>
> http connection: the username and password will be sent in clear text
>
> that anyone can grab should they be listening.
>
>
>
> Cordially yours,
>
> Jerry G. Young II
>
> MCSE (4.0/W2K)
>
> Atlanta EES Implementation Team Lead
>
> ECNS Microsoft Engineering
>
> Unisys
>
>
>
> 11493 Sunset Hills Rd.
>
> Reston, VA 20190
>
> Office: 703-579-2727
>
> Cell: 703-625-1468
>
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
>
> PROPRIETARY MATERIAL and is thus for use only by the intended
> recipient.
>
> If you received this in error, please contact the sender and
> delete the
>
> e-mail and its attachments from all computers.
>
>
>
>
>
> ________________________________
>
>
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx
>
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew English
>
> Sent: Friday, May 19, 2006 3:08 PM
>
> To: isalist@xxxxxxxxxxxxx
>
> Subject: RE: [isalist] Re: Cert for OWA
>
>
>
>
>
>
>
> I figured it out.. After I exported the SSL cert to pfx on
> IIS6
>
> and imported it into ISA I was able to surf to the site, however I had
>
> enabled SSL on the webpage and for some reason it was telling me I had
>
> to https:// to the site which I was doing, as soon as I removed the
>
> (required SSL) from the web site I was able to access it.
> Then I applied
>
> the html I had to redirect the site back to http. (grin)
>
>
>
>
>
>
>
> Thanks for those who helped I really do appreciate it!
>
>
>
>
>
>
>
> Regards,
>
>
>
> Andrew
>
>
>
>
>
>
>
> --
>
> No virus found in this incoming message.
>
> Checked by AVG Free Edition.
>
> Version: 7.1.392 / Virus Database: 268.6.1/343 -
> Release Date:
>
> 5/18/2006
>
>
>
>
>
> --
>
> No virus found in this outgoing message.
>
> Checked by AVG Free Edition.
>
> Version: 7.1.392 / Virus Database: 268.6.1/343 - Release
> Date: 5/18/2006
>
>
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
> ------------------------------------------------------
>
> List Archives: //www.freelists.org/archives/isalist/
>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>
> ISA Server Articles and Tutorials:
>
> http://www.isaserver.org/articles_tutorials/
>
> ISA Server Blogs: http://blogs.isaserver.org/
>
> ------------------------------------------------------
>
> Visit TechGenix.com for more information about our other sites:
>
> http://www.techgenix.com
>
> ------------------------------------------------------
>
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
>
> List Archives: //www.freelists.org/archives/isalist/
>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>
> ISA Server Articles and Tutorials:
>
> http://www.isaserver.org/articles_tutorials/
>
> ISA Server Blogs: http://blogs.isaserver.org/
>
> ------------------------------------------------------
>
> Visit TechGenix.com for more information about our other sites:
>
> http://www.techgenix.com
>
> ------------------------------------------------------
>
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
> ------------------------------------------------------
>
> List Archives: //www.freelists.org/archives/isalist/
>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>
> ISA Server Articles and Tutorials:
>
> http://www.isaserver.org/articles_tutorials/
>
> ISA Server Blogs: http://blogs.isaserver.org/
>
> ------------------------------------------------------
>
> Visit TechGenix.com for more information about our other sites:
>
> http://www.techgenix.com
>
> ------------------------------------------------------
>
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
>
> List Archives: //www.freelists.org/archives/isalist/
>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>
> ISA Server Articles and Tutorials:
>
> http://www.isaserver.org/articles_tutorials/
>
> ISA Server Blogs: http://blogs.isaserver.org/
>
> ------------------------------------------------------
>
> Visit TechGenix.com for more information about our other sites:
>
> http://www.techgenix.com
>
> ------------------------------------------------------
>
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
> ------------------------------------------------------
>
> List Archives: //www.freelists.org/archives/isalist/
>
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
>
> ISA Server Blogs: http://blogs.isaserver.org/
>
> ------------------------------------------------------
>
> Visit TechGenix.com for more information about our other sites:
>
> http://www.techgenix.com
>
> ------------------------------------------------------
>
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
