RE: OWA HTTPS [Enterprise] Default rule Denial

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 19 Jan 2006 11:15:09 -0800

Yes, but you have to base the redirection on a different ISA error.
Your error is 12202, not 12217. 

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx] 
Sent: Thursday, January 19, 2006 11:03
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial

http://www.ISAserver.org

Right... I get that but I thought the point of the redirect below was to be 
able to have a user redirected to https://domain.com/exchange if they hit 
https://domain.com?

Is this behavior also different on ISA Server 2004 EE?  According to the readme 
file in the archive, it states to put a "custom" error page that ISA should 
return to a user that redirects them to the proper URL.

That is, I thought the following procedure would have solved the problem.

The error being returned is 12202.  So...

Create a 12202.htm file in the ErrorHtmls directory.
Using either Jscript or Meta Headers, redirect the client to the proper URL.
Restart the Firewall Service (since there isn't a Web Proxy service).

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
HHS Engineering
Unisys
 
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, January 19, 2006 1:55 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial

http://www.ISAserver.org

Until your request matches the data in the rule, you'll continue to get that 
error. 


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
Sent: Thursday, January 19, 2006 10:43
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial

http://www.ISAserver.org

Ooohkey, then. *8^)

Back to the redirect you provided...

The error being received was a 12202 error.  Since there wasn't a 12202.htm 
file in the ErrorHtmls directory, I created a new file called such, put the 
redirect in, updated the URL to point to where I wanted it to go and then 
restarted the firewall service.

I'm still getting that 12202 error and the web proxy filter is throwing it. *8^(

Ideas?

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
HHS Engineering
Unisys
 
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, January 19, 2006 1:27 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial

http://www.ISAserver.org

ISA 2004 doesn't have a web proxy service; it's an application filter in the 
firewall service.
Thus, if you feel the need to cycle the web proxy, you have to cycle the 
firewall service.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
Sent: Thursday, January 19, 2006 10:21
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial

http://www.ISAserver.org

Thanks, Jim.

Silly question, though.  How do you restart the Web Proxy service when it 
doesn't display in the Services tab of the Monitoring node?  I don't even see 
W3Proxy.exe running as a process, although I do see a W3Prefch.exe process 
(that related?).

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
HHS Engineering
Unisys
 
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, January 19, 2006 12:44 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial

http://www.ISAserver.org

That's my point - you shouldn't allow "/*". 
If you create rules using specific path limitations, don't test them using 
other (empty, IOW) paths unless you're trying to validate ISA blocking action 
(you did).

If you're trying to support folks that forget to use /exchange in the URL, take 
a look at http://isatools.org/isa_redirects.zip

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
Sent: Thursday, January 19, 2006 09:30
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial

http://www.ISAserver.org

By default, when creating the rule using the wizard, the paths are set to just 
the following.  I have not changed these.

/exchange/*
/exchweb/*
/public/*

Should I add "/"?  In the past, when I've attempted to add "/*" ISA complains 
saying that that is the same as the others already specified.

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
HHS Engineering
Unisys
 
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, January 19, 2006 12:23 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial

http://www.ISAserver.org

Does you rule include the "/" path? 
My $.02 says "no".
My $M5 says it shouldn't, either.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
Sent: Thursday, January 19, 2006 09:06
To: [ISAserver.org Discussion List]
Subject: [isalist] OWA HTTPS [Enterprise] Default rule Denial

http://www.ISAserver.org


All,

I'm having a problem with getting OWA working through ISA as expected.

If I point the URL for OWA to https://domain.com/exchange 
<https://domain.com/exchange> , a connection is made and the OWA page displays. 
 However, if I go to https://domain.com <https://domain.com> , I consistently 
get denied connections due to the [Enterprise] Default rule kicking in stating 
that the ISA server denied that URL.  The URL field in the logged event shows 
up as http://domain.com <http://domain.com>  instead of http://domain.com:443 
<http://domain.com:443> .  The same field when going to 
https://domain.com/exchange <https://domain.com/exchange>  shows up in the logs 
as http://domain.com:443/exchange <http://domain.com:443/exchange> .

Anyone know what's causing this behavior?

Since this is being logged by the Web Proxy Filter, I'm guessing something 
related to that configuration but I'll be damned if I can figure it out.

Cordially yours,

Jerry G. Young II

  MCSE (4.0/W2K)

Atlanta EES Implementation Team Lead

HHS Engineering

Unisys

 

11493 Sunset Hills Rd.

Reston, VA 20190

Office: 703-579-2727

Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gerald.young@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gerald.young@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gerald.young@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gerald.young@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 01-2006