Re: IP Packet filter needed IN ADDITION TO Web Publishing Rule ???
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 30 Sep 2002 17:46:20 -0700
That's interesting, since FW logs don't list anything as "BLOCKED"; that's
an entry only found in the IP.logs.
Take a look in the event logs; ISA rarely chokes without crying loudly..
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the books!
----- Original Message -----
From: "Alfonso Lopez de Ayala" <alopezdeayala@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, September 30, 2002 3:57 PM
Subject: [isalist] Re: IP Packet filter needed IN ADDITION TO Web Publishing
Rule ???
http://www.ISAserver.org
Setup details (btw, this worked yesterday, but doesn't today!):
- GOAL: Publish OWA thru SSL (https://server.domain.com/exchange)
- ISA & IIS on same box
- Incoming listener:
* Basic Authentication (only)
* Server certificate installed in ISA
* Enable SSL listeners (443) checked
* Ask unauthenticated users... NOT checked
- Web Publishing Rule:
* Destination set includes all OWA directories
(ExchWeb, Exchange, Public, _AuthChangeUrl, iisadmpwd)
* Action: redirect to this internal web server: server.domain.com
* Send actual host header... CHECKED
* Redirect SSL content as: SSL request (SSL bridging)
* Require secure channel SSL
* Applies to: any request
- IP Packet Filters: none referring to HTTPS or port 443
- Server Publishing Rules: none
- IIS configuration
* SSL Certificate installed
* Security on OWA virtual directories:
+ Basic Authentication (only)
+ Require secure channel SSL
+ Anonymous access NOT checked
* SocketPooling DISABLED
- NIC binding: first is Internal NIC (in My Network Places > Advanced)
Suddenly it stopped working... firewall logs now clearly shows packets
to 443 as BLOCKED! No clue as to why.
>From LAN OWA works fine.
Alfonso
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Monday, September 30, 2002 3:25 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: IP Packet filter needed IN ADDITION TO Web
Publishing Rule ???
http://www.ISAserver.org
If IIS is operating on the ISA, you have a choice between web publishing
and
packet filters.
Some details on your setup would help in providing a specific answer...
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/pages/author_index.asp?aut=3
http://isatools.org
Read the books!
----- Original Message -----
From: "Alfonso Lopez de Ayala" <alopezdeayala@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, September 30, 2002 2:33 PM
Subject: [isalist] IP Packet filter needed IN ADDITION TO Web Publishing
Rule ???
http://www.ISAserver.org
This gets more confusing every day... :)
If I have a Web Publishing rule that allows SSL requests to be forwarded
to web server... do I ALSO have to have an IP filter that allows HTTPS
traffic (port 443)?
DO YOU ALWAYS NEED AN ALLOWING "IP PACKET FILTER" IN ADDITION TO ANY
"PUBLISHIONG RULE" YOU SET UP???
(OWA suddenly stopped working and the only way to get to it from the
Internet is by adding an IP Packet filter allowing "HTTPS Server"!)
Alfonso
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
alopezdeayala@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
