[isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic

• From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Sat, 2 Dec 2006 23:47:32 +0100

http://www.ISAserver.org
-------------------------------------------------------
  
Hi Jim, 

What are you suggesting?  

Yes, I have verified that 128-bit encryption is actually being enforced. To
test that I've followed http://support.microsoft.com/kb/245030/en-us to
disable the SChannel 128-bit or higher ciphers on the client. I got then in
IE the error page: "Error Code: 403 Forbidden. The page requires 128-bit
encryption, an enhanced security mechanism. To view the page contents, use a
browser that supports this enhanced encryption. (12212)". 

Disabling the weak SChannel ciphers on ISA is also a solution but than the
user is not informed of the cause of the failure. 

BTW --- are the SChannel regkeys also used for PPTP and IPSec? It would be
nice if we could disable some of those weak ciphers too. 

Thanks, 
Stefaan

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: zaterdag 2 december 2006 15:58
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS
traffic

http://www.ISAserver.org
-------------------------------------------------------
  
Have you verified whether or not 128-bit encryption is actually being
enforced?

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Stefaan Pouseele
Sent: Saturday, December 02, 2006 6:46 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS
traffic

http://www.ISAserver.org
-------------------------------------------------------
  
Hi all, 

after some further investigation I found some other strange dependencies. 

If you enable HTTP and HTTPS first and than tick the box 'Do not redirect
traffic from HTTP to HTTPS' in the web listener, than the box 'Notify HTTP
users to use HTTPS instead' becomes enabled in the Traffic tab of the web
publishing rule. If you tick that one than the box 'Require 128-bit
encryption for HTTPS traffic' becomes enabled too. 

Moreover, if you now tick first the box 'Notify HTTP users to use HTTPS
instead' in the Traffic tab of the web publishing rule and than select
'Redirect all traffic from HTTP to HTTPS' in the web listener, than the box
'Notify HTTP users to use HTTPS instead' becomes greyed out but the box
'Require 128-bit encryption for HTTPS traffic' stays enabled. 

So, we can get it to work as per our requirements but why this strange
dependencies in the GUI? I can't figure out the logic behind this! :-(

Thanks,
Stefaan

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Stefaan Pouseele
Sent: zaterdag 2 december 2006 14:47
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] ISA 2006 - Require 128-bit encryption for HTTPS traffic

http://www.ISAserver.org
-------------------------------------------------------
  
Hi, 

I'm trying to implement the following requirements in a simple web
publishing rule on ISA 2006: 
1. Accept HTTP and HTTPS.
2. Redirect all traffic from HTTP to HTTPS.
3. Require 128-bit encryption for HTTPS traffic.

In the web listener I enabled HTTP and HTTPS and ticket the box 'Redirect
all traffic from HTTP to HTTPS'. This ensures that all traffic, including
any authentication traffic is done over HTTPS. 

However, in the web publishing rule I can't enable the box 'Require 128-bit
encryption for HTTPS traffic' in the Traffic tab. That box is greyed out!
Only when I disable HTTP on the web listener I can enable the box 'Require
128-bit encryption for HTTPS traffic' in the Traffic tab. 

Can't we redirect HTTP to HTTPS *and* require 128-bit encryption in one
step? What I'm missing? 


Thanks,
Stefaan


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

• References:
  • [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
    • From: Jim Harrison

Other related posts:

• » [isalist] ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
• » [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic

1. Home
2. isalist
3. Archive
4. 12-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---