http://www.ISAserver.org ------------------------------------------------------- Hi Jim, What are you suggesting? Yes, I have verified that 128-bit encryption is actually being enforced. To test that I've followed http://support.microsoft.com/kb/245030/en-us to disable the SChannel 128-bit or higher ciphers on the client. I got then in IE the error page: "Error Code: 403 Forbidden. The page requires 128-bit encryption, an enhanced security mechanism. To view the page contents, use a browser that supports this enhanced encryption. (12212)". Disabling the weak SChannel ciphers on ISA is also a solution but than the user is not informed of the cause of the failure. BTW --- are the SChannel regkeys also used for PPTP and IPSec? It would be nice if we could disable some of those weak ciphers too. Thanks, Stefaan -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: zaterdag 2 december 2006 15:58 To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic http://www.ISAserver.org ------------------------------------------------------- Have you verified whether or not 128-bit encryption is actually being enforced? -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele Sent: Saturday, December 02, 2006 6:46 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic http://www.ISAserver.org ------------------------------------------------------- Hi all, after some further investigation I found some other strange dependencies. If you enable HTTP and HTTPS first and than tick the box 'Do not redirect traffic from HTTP to HTTPS' in the web listener, than the box 'Notify HTTP users to use HTTPS instead' becomes enabled in the Traffic tab of the web publishing rule. If you tick that one than the box 'Require 128-bit encryption for HTTPS traffic' becomes enabled too. Moreover, if you now tick first the box 'Notify HTTP users to use HTTPS instead' in the Traffic tab of the web publishing rule and than select 'Redirect all traffic from HTTP to HTTPS' in the web listener, than the box 'Notify HTTP users to use HTTPS instead' becomes greyed out but the box 'Require 128-bit encryption for HTTPS traffic' stays enabled. So, we can get it to work as per our requirements but why this strange dependencies in the GUI? I can't figure out the logic behind this! :-( Thanks, Stefaan -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Stefaan Pouseele Sent: zaterdag 2 december 2006 14:47 To: isalist@xxxxxxxxxxxxx Subject: [isalist] ISA 2006 - Require 128-bit encryption for HTTPS traffic http://www.ISAserver.org ------------------------------------------------------- Hi, I'm trying to implement the following requirements in a simple web publishing rule on ISA 2006: 1. Accept HTTP and HTTPS. 2. Redirect all traffic from HTTP to HTTPS. 3. Require 128-bit encryption for HTTPS traffic. In the web listener I enabled HTTP and HTTPS and ticket the box 'Redirect all traffic from HTTP to HTTPS'. This ensures that all traffic, including any authentication traffic is done over HTTPS. However, in the web publishing rule I can't enable the box 'Require 128-bit encryption for HTTPS traffic' in the Traffic tab. That box is greyed out! Only when I disable HTTP on the web listener I can enable the box 'Require 128-bit encryption for HTTPS traffic' in the Traffic tab. Can't we redirect HTTP to HTTPS *and* require 128-bit encryption in one step? What I'm missing? Thanks, Stefaan ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx