[isalist] Re: ISA and HTTPS
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 28 Dec 2006 07:08:17 -0800
Since you have users logging onto the server and thereby using its browser,
you'll have to operate with that removed.
IE "enhanced security" was intended to be a more restrictive browser *for
servers*, since as a rule, they're not used as workstations.
Clearly, a TS server is the exception to that rule.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of tim.altena@xxxxxxxxxxxxxx
Sent: Thursday, December 28, 2006 6:17 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA and HTTPS
Just an update, I have found a work around for this issue. I removed "Internet
Explorer Enhanced Security Configuration" from my TS and everything started to
work correctly. I am not sure yet what this changed so I will be researching
this today.
Thanks again
Tim
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of tim.altena@xxxxxxxxxxxxxx
Sent: Wednesday, December 27, 2006 4:59 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA and HTTPS
Thanks for you response Jim,
What I had meant by my statement was just that is was not a member
of any of the domain groups that I created to use when controlling Internet
access on the ISA server.
I have unchecked this setting unfortunately I get the exact same
error page.
I am fairly certain that it was my FWC installation that enabled
it. Is it possible that I modified the installation it unknowingly to do this?
If I did I am not aware of how it occurred.
I will be getting a capture in the morning and see if I can find
anything. I will attempt to compare it to a capture of the same user after I
make them a member of the domain group allowing access to the internet and see
if I can find the difference.
Thanks again Jim for your reply and assistance,
Tim
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, December 27, 2006 4:19 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA and HTTPS
The first thing you need to do is drop this idea: "and is not a member of any
domain groups". *Every* account is a member of at least one group; possibly
more, depending on your group policies and account creation processes.
Now to the details:
"The page cannot be displayed" - this the standard, useless "friendly" HTML
error message. Unselect "friendly" anything in the advanced IE settings if you
want something a bit more useful in the future. Unfortunately, this error
could indicate anything from a failed wpad request to a rejected connection by
the site itself.
The IE configuration is pretty basic not much has been changed from the default
configuration after installation except the changes made by the ISA firewall
client installation which are that is sets the following:
This is about as far from the default as you can get. "use a proxy server" is
populated, but not enabled by the FWC installer.
You should get a capture of the process from start to finish.
I realize that some o it SSL, but the handshake process can often tell the tale.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of tim.altena@xxxxxxxxxxxxxx
Sent: Wednesday, December 27, 2006 1:40 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA and HTTPS
I hope I have provided enough detail here if not please let me know and I will
give you more.
Q1 - what is the user experience *details* for the failed requests?
I have created a small HTML page with just links to the two sites in question
and saved it on the desktop of the TS. If I open the page and click on the
link to https://www.myflexonline.com <https://www.myflexonline.com/> the sites
login page is displayed. If I then click on the link for the other site
https://www.myretirementfuture.com <https://www.myretirementfuture.com/> the
browser attempts to open that page for a few seconds and then gets an error
page in IE that states the following:
The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be
experiencing technical difficulties, or you may need to adjust your browser
settings.
________________________________
Please try the following:
ß-- snip ---à
Cannot find server or DNS Error
Internet Explorer
After doing this any HTTPS page they go to brings up this same error.
Q2 - what does ISA live logging show for those requests?
I have attached the log from that time I did have a filter to only show logs
with the servers client IP Address. If more is needed I can provide.
Q3 - how does the user log on to the TS server; local or domain credentials?
The user logs onto the TS using a domain account. This account has no special
permissions on the TS, and is not a member of any domain groups.
Q4 - how is the browser configured (*details*)?
The IE configuration is pretty basic not much has been changed from the default
configuration after installation except the changes made by the ISA firewall
client installation which are that is sets the following:
Local Area Network Settings
Automatically detect settings - checked
Use automatic configuration script - checked
http://oc05.vpinc.net:8080/array.dll?Get.Routing.Script (FQDN of my ISA server)
Use a proxy server for your LAN - checked
Addresss oc05.vpinc.net Port:8080
Bypass proxy for local addresses - checked
Security Tab
Internet Zone - security setting high
Local intranet Zone - custom settings ( I did not
change this from original install )
Trusted Sites - custom settings ( I did not change this
from original install )
Sites added to this zone
http://www.myflexonline.com
<http://www.myflexonline.com/>
https://www.myflexonline.com
<https://www.myflexonline.com/>
http://www.myretirementfuture.com <http://www.myretirementfuture.com/>
https://www.myretirementfuture.com <https://www.myretirementfuture.com/>
http://crl.geotrust.com
<http://crl.geotrust.com/>
Thanks Again
Tim
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Wednesday, December 27, 2006 3:03 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: ISA and HTTPS
Q1 - what is the user experience *details* for the failed requests?
Q2 - what does ISA live logging show for those requests?
Q3 - how does the user log on to the TS server; local or domain credentials?
Q4 - how is the browser configured (*details*)?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of tim.altena@xxxxxxxxxxxxxx
Sent: Wednesday, December 27, 2006 12:27 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] ISA and HTTPS
I must be missing something really dumb but try as I might I can not find it.
I have an ISA 2004 server running on Windows 2003. I have configured rules for
access based on AD groups.
Rule #1 allows one group has access to all external sites with HTTP, HTTPS,
FTP, and a few other protocols.
Rule #2 allows another group has access to a specified list of domains via HTTP
and HTTPS.
Rule #3 allows all authenticated users have access to a very short list of
specified domains via HTTP and HTTPS, this same rule has an exception for a
group of users that have all access to the internet denied.
Rule #4 The default rule that denies access from anyone to everything.
I have a user that is not assigned to any specific AD group that needs to
access a site in the very short list of domains from Rule #3
(www.myretirementfuture.com <http://www.myretirementfuture.com/> ) This user
can access this domain from any workstation on my domain both using HTTP and
HTTPS, however when it connects to our Windows 2003 terminal server is can
connect using HTTP but when they try to go to HTTPS it fails and they get an
error in IE stating that the page can not be displayed. I can however go to
another site https://www.myflexonline.com <https://www.myflexonline.com/>
without any trouble, that is until I go to this site
(https://www.myretirementfuture.com <https://www.myretirementfuture.com/> )
then I can not get to any HTTPS site after that.
If I put this user in the AD group that allows access to any external sites
this site works fine via HTTPS on the terminal server. I am not sure what I am
missing in this equation, any help would be greatly appreciated.
Oh the terminal server does have the Firewall Client installed on it, and I
have tried it without the client installed. I also have added both the http
and https versions of the domain to the trusted site list in IE on the terminal
server.
Thanks in advance,
Tim
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
