[isalist] Re: ISA and HTTPS
- From: <tim.altena@xxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 27 Dec 2006 16:58:53 -0600
Thanks for you response Jim,
What I had meant by my statement was just that is was not a
member of any of the domain groups that I created to use when
controlling Internet access on the ISA server.
I have unchecked this setting unfortunately I get the exact
same error page.
I am fairly certain that it was my FWC installation that
enabled it. Is it possible that I modified the installation it
unknowingly to do this? If I did I am not aware of how it occurred.
I will be getting a capture in the morning and see if I can
find anything. I will attempt to compare it to a capture of the same
user after I make them a member of the domain group allowing access to
the internet and see if I can find the difference.
Thanks again Jim for your reply and assistance,
Tim
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, December 27, 2006 4:19 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA and HTTPS
The first thing you need to do is drop this idea: "and is not a member
of any domain groups". *Every* account is a member of at least one
group; possibly more, depending on your group policies and account
creation processes.
Now to the details:
"The page cannot be displayed" - this the standard, useless "friendly"
HTML error message. Unselect "friendly" anything in the advanced IE
settings if you want something a bit more useful in the future.
Unfortunately, this error could indicate anything from a failed wpad
request to a rejected connection by the site itself.
The IE configuration is pretty basic not much has been changed from the
default configuration after installation except the changes made by the
ISA firewall client installation which are that is sets the following:
This is about as far from the default as you can get. "use a proxy
server" is populated, but not enabled by the FWC installer.
You should get a capture of the process from start to finish.
I realize that some o it SSL, but the handshake process can often tell
the tale.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of tim.altena@xxxxxxxxxxxxxx
Sent: Wednesday, December 27, 2006 1:40 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA and HTTPS
I hope I have provided enough detail here if not please let me know and
I will give you more.
Q1 - what is the user experience *details* for the failed requests?
I have created a small HTML page with just links to the two sites in
question and saved it on the desktop of the TS. If I open the page and
click on the link to https://www.myflexonline.com
<https://www.myflexonline.com/> the sites login page is displayed. If
I then click on the link for the other site
https://www.myretirementfuture.com <https://www.myretirementfuture.com/>
the browser attempts to open that page for a few seconds and then gets
an error page in IE that states the following:
The page cannot be displayed
The page you are looking for is currently unavailable. The Web site
might be experiencing technical difficulties, or you may need to adjust
your browser settings.
________________________________
Please try the following:
<---- snip ----->
Cannot find server or DNS Error
Internet Explorer
After doing this any HTTPS page they go to brings up this same error.
Q2 - what does ISA live logging show for those requests?
I have attached the log from that time I did have a filter to only show
logs with the servers client IP Address. If more is needed I can
provide.
Q3 - how does the user log on to the TS server; local or domain
credentials?
The user logs onto the TS using a domain account. This account has no
special permissions on the TS, and is not a member of any domain groups.
Q4 - how is the browser configured (*details*)?
The IE configuration is pretty basic not much has been changed from the
default configuration after installation except the changes made by the
ISA firewall client installation which are that is sets the following:
Local Area Network Settings
Automatically detect settings - checked
Use automatic configuration script - checked
http://oc05.vpinc.net:8080/array.dll?Get.Routing.Script (FQDN of my ISA
server)
Use a proxy server for your LAN - checked
Addresss oc05.vpinc.net
Port:8080
Bypass proxy for local addresses -
checked
Security Tab
Internet Zone - security setting high
Local intranet Zone - custom settings ( I did
not change this from original install )
Trusted Sites - custom settings ( I did not
change this from original install )
Sites added to this zone
http://www.myflexonline.com <http://www.myflexonline.com/>
https://www.myflexonline.com <https://www.myflexonline.com/>
http://www.myretirementfuture.com <http://www.myretirementfuture.com/>
https://www.myretirementfuture.com <https://www.myretirementfuture.com/>
http://crl.geotrust.com
<http://crl.geotrust.com/>
Thanks Again
Tim
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, December 27, 2006 3:03 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA and HTTPS
Q1 - what is the user experience *details* for the failed requests?
Q2 - what does ISA live logging show for those requests?
Q3 - how does the user log on to the TS server; local or domain
credentials?
Q4 - how is the browser configured (*details*)?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of tim.altena@xxxxxxxxxxxxxx
Sent: Wednesday, December 27, 2006 12:27 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] ISA and HTTPS
I must be missing something really dumb but try as I might I can not
find it.
I have an ISA 2004 server running on Windows 2003. I have configured
rules for access based on AD groups.
Rule #1 allows one group has access to all external sites with HTTP,
HTTPS, FTP, and a few other protocols.
Rule #2 allows another group has access to a specified list of domains
via HTTP and HTTPS.
Rule #3 allows all authenticated users have access to a very short list
of specified domains via HTTP and HTTPS, this same rule has an exception
for a group of users that have all access to the internet denied.
Rule #4 The default rule that denies access from anyone to everything.
I have a user that is not assigned to any specific AD group that needs
to access a site in the very short list of domains from Rule #3
(www.myretirementfuture.com <http://www.myretirementfuture.com/> ) This
user can access this domain from any workstation on my domain both using
HTTP and HTTPS, however when it connects to our Windows 2003 terminal
server is can connect using HTTP but when they try to go to HTTPS it
fails and they get an error in IE stating that the page can not be
displayed. I can however go to another site
https://www.myflexonline.com <https://www.myflexonline.com/> without
any trouble, that is until I go to this site
(https://www.myretirementfuture.com
<https://www.myretirementfuture.com/> ) then I can not get to any HTTPS
site after that.
If I put this user in the AD group that allows access to any external
sites this site works fine via HTTPS on the terminal server. I am not
sure what I am missing in this equation, any help would be greatly
appreciated.
Oh the terminal server does have the Firewall Client installed on it,
and I have tried it without the client installed. I also have added
both the http and https versions of the domain to the trusted site list
in IE on the terminal server.
Thanks in advance,
Tim
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
