[isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS traffic
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 3 Dec 2006 06:33:37 -0800
http://www.ISAserver.org
-------------------------------------------------------
My concern was that the UI might be lying to you about enforcing 128-bit
encryption, in which case you would have had a much larger issue.
Just a guess, but I believe the UI designers decided that the
combination of HTTP + HTTPS + "require 128-bit" didn't make sense, since
you can't "require 128-bit" on HTTP and thus disabled that combination
in the UI.
At least you discovered a functional workaround and that's worth a KB.
I'll file the UI bug and start the KB on Monday.
Those are good questions about PPTP/IPSec - I'll ask around.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Stefaan Pouseele
Sent: Sunday, December 03, 2006 1:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS
traffic
http://www.ISAserver.org
-------------------------------------------------------
Hi Jim,
What are you suggesting?
Yes, I have verified that 128-bit encryption is actually being enforced.
To test that I've followed http://support.microsoft.com/kb/245030/en-us
to disable the SChannel 128-bit or higher ciphers on the client. I got
then in IE the error page: "Error Code: 403 Forbidden. The page requires
128-bit encryption, an enhanced security mechanism. To view the page
contents, use a browser that supports this enhanced encryption.
(12212)".
Disabling the weak SChannel ciphers on ISA is also a solution but than
the user is not informed of the cause of the failure.
BTW --- are the SChannel regkeys also used for PPTP and IPSec? It would
be nice if we could disable some of those weak ciphers too.
Thanks,
Stefaan
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: zaterdag 2 december 2006 15:58
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS
traffic
http://www.ISAserver.org
-------------------------------------------------------
Have you verified whether or not 128-bit encryption is actually being
enforced?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Stefaan Pouseele
Sent: Saturday, December 02, 2006 6:46 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA 2006 - Require 128-bit encryption for HTTPS
traffic
http://www.ISAserver.org
-------------------------------------------------------
Hi all,
after some further investigation I found some other strange
dependencies.
If you enable HTTP and HTTPS first and than tick the box 'Do not
redirect traffic from HTTP to HTTPS' in the web listener, than the box
'Notify HTTP users to use HTTPS instead' becomes enabled in the Traffic
tab of the web publishing rule. If you tick that one than the box
'Require 128-bit encryption for HTTPS traffic' becomes enabled too.
Moreover, if you now tick first the box 'Notify HTTP users to use HTTPS
instead' in the Traffic tab of the web publishing rule and than select
'Redirect all traffic from HTTP to HTTPS' in the web listener, than the
box 'Notify HTTP users to use HTTPS instead' becomes greyed out but the
box 'Require 128-bit encryption for HTTPS traffic' stays enabled.
So, we can get it to work as per our requirements but why this strange
dependencies in the GUI? I can't figure out the logic behind this! :-(
Thanks,
Stefaan
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Stefaan Pouseele
Sent: zaterdag 2 december 2006 14:47
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] ISA 2006 - Require 128-bit encryption for HTTPS
traffic
http://www.ISAserver.org
-------------------------------------------------------
Hi,
I'm trying to implement the following requirements in a simple web
publishing rule on ISA 2006:
1. Accept HTTP and HTTPS.
2. Redirect all traffic from HTTP to HTTPS.
3. Require 128-bit encryption for HTTPS traffic.
In the web listener I enabled HTTP and HTTPS and ticket the box
'Redirect all traffic from HTTP to HTTPS'. This ensures that all
traffic, including any authentication traffic is done over HTTPS.
However, in the web publishing rule I can't enable the box 'Require
128-bit encryption for HTTPS traffic' in the Traffic tab. That box is
greyed out!
Only when I disable HTTP on the web listener I can enable the box
'Require 128-bit encryption for HTTPS traffic' in the Traffic tab.
Can't we redirect HTTP to HTTPS *and* require 128-bit encryption in one
step? What I'm missing?
Thanks,
Stefaan
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
