RE: OWA HTTPS [Enterprise] Default rule Denial

• From: "Young, Gerald G" <Gerald.Young@xxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 19 Jan 2006 13:26:09 -0600

Tom,

Thanks... I had just reviewed those. *8^)

The / to /exchange\ worked but didn't.  I get a user challenge (probably
configuration on the OWA server itself).

I got the protocol redirect taken care of.  Now it's just the path.  I
lost where Jim was going with his last response.

I have to base the redirection on a different ISA error.  Mine is 12202,
not 12217.

If the error is 12202, doesn't that mean I create a file in the
ErrorHtmls directory named 12202.htm and populate that file with the
redirect?  I'm not sure where the 12217 number came from. *8^(  My
apologies for my denseness here. *8^(

Cordially yours,
Jerry G. Young II
  MCSE (4.0/W2K)
Atlanta EES Implementation Team Lead
HHS Engineering
Unisys
 
11493 Sunset Hills Rd.
Reston, VA 20190
Office: 703-579-2727
Cell: 703-625-1468

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, January 19, 2006 2:12 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial

http://www.ISAserver.org

Hi Jerry,

http://www.isaserver.org/tutorials/Redirecting-OWA-Users-Part1.html

And

http://www.isaserver.org/tutorials/Redirecting-OWA-Users-Part2.html

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx] 
> Sent: Thursday, January 19, 2006 1:03 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> 
> http://www.ISAserver.org
> 
> Right... I get that but I thought the point of the redirect 
> below was to
> be able to have a user redirected to 
> https://domain.com/exchange if they
> hit https://domain.com?
> 
> Is this behavior also different on ISA Server 2004 EE?  
> According to the
> readme file in the archive, it states to put a "custom" error 
> page that
> ISA should return to a user that redirects them to the proper URL.
> 
> That is, I thought the following procedure would have solved the
> problem.
> 
> The error being returned is 12202.  So...
> 
> Create a 12202.htm file in the ErrorHtmls directory.
> Using either Jscript or Meta Headers, redirect the client to 
> the proper
> URL.
> Restart the Firewall Service (since there isn't a Web Proxy service).
> 
> Cordially yours,
> Jerry G. Young II
>   MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>  
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE 
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete 
> the e-mail
> and its attachments from all computers.
> 
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Thursday, January 19, 2006 1:55 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> 
> http://www.ISAserver.org
> 
> Until your request matches the data in the rule, you'll 
> continue to get
> that error. 
> 
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx] 
> Sent: Thursday, January 19, 2006 10:43
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> 
> http://www.ISAserver.org
> 
> Ooohkey, then. *8^)
> 
> Back to the redirect you provided...
> 
> The error being received was a 12202 error.  Since there wasn't a
> 12202.htm file in the ErrorHtmls directory, I created a new 
> file called
> such, put the redirect in, updated the URL to point to where 
> I wanted it
> to go and then restarted the firewall service.
> 
> I'm still getting that 12202 error and the web proxy filter 
> is throwing
> it. *8^(
> 
> Ideas?
> 
> Cordially yours,
> Jerry G. Young II
>   MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>  
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE 
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete 
> the e-mail
> and its attachments from all computers.
> 
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, January 19, 2006 1:27 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> 
> http://www.ISAserver.org
> 
> ISA 2004 doesn't have a web proxy service; it's an 
> application filter in
> the firewall service.
> Thus, if you feel the need to cycle the web proxy, you have 
> to cycle the
> firewall service.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Thursday, January 19, 2006 10:21
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> 
> http://www.ISAserver.org
> 
> Thanks, Jim.
> 
> Silly question, though.  How do you restart the Web Proxy service when
> it doesn't display in the Services tab of the Monitoring 
> node?  I don't
> even see W3Proxy.exe running as a process, although I do see a
> W3Prefch.exe process (that related?).
> 
> Cordially yours,
> Jerry G. Young II
>   MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>  
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE 
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete 
> the e-mail
> and its attachments from all computers.
> 
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, January 19, 2006 12:44 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> 
> http://www.ISAserver.org
> 
> That's my point - you shouldn't allow "/*". 
> If you create rules using specific path limitations, don't test them
> using other (empty, IOW) paths unless you're trying to validate ISA
> blocking action (you did).
> 
> If you're trying to support folks that forget to use /exchange in the
> URL, take a look at http://isatools.org/isa_redirects.zip
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Thursday, January 19, 2006 09:30
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> 
> http://www.ISAserver.org
> 
> By default, when creating the rule using the wizard, the paths are set
> to just the following.  I have not changed these.
> 
> /exchange/*
> /exchweb/*
> /public/*
> 
> Should I add "/"?  In the past, when I've attempted to add "/*" ISA
> complains saying that that is the same as the others already 
> specified.
> 
> Cordially yours,
> Jerry G. Young II
>   MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>  
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE 
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete 
> the e-mail
> and its attachments from all computers.
> 
> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, January 19, 2006 12:23 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> 
> http://www.ISAserver.org
> 
> Does you rule include the "/" path? 
> My $.02 says "no".
> My $M5 says it shouldn't, either.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Thursday, January 19, 2006 09:06
> To: [ISAserver.org Discussion List]
> Subject: [isalist] OWA HTTPS [Enterprise] Default rule Denial
> 
> http://www.ISAserver.org
> 
> 
> All,
> 
> I'm having a problem with getting OWA working through ISA as expected.
> 
> If I point the URL for OWA to https://domain.com/exchange
> <https://domain.com/exchange> , a connection is made and the OWA page
> displays.  However, if I go to https://domain.com 
> <https://domain.com> ,
> I consistently get denied connections due to the [Enterprise] Default
> rule kicking in stating that the ISA server denied that URL.  The URL
> field in the logged event shows up as http://domain.com
> <http://domain.com>  instead of http://domain.com:443
> <http://domain.com:443> .  The same field when going to
> https://domain.com/exchange <https://domain.com/exchange>  shows up in
> the logs as http://domain.com:443/exchange
> <http://domain.com:443/exchange> .
> 
> Anyone know what's causing this behavior?
> 
> Since this is being logged by the Web Proxy Filter, I'm guessing
> something related to that configuration but I'll be damned if I can
> figure it out.
> 
> Cordially yours,
> 
> Jerry G. Young II
> 
>   MCSE (4.0/W2K)
> 
> Atlanta EES Implementation Team Lead
> 
> HHS Engineering
> 
> Unisys
> 
>  
> 
> 11493 Sunset Hills Rd.
> 
> Reston, VA 20190
> 
> Office: 703-579-2727
> 
> Cell: 703-625-1468
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE 
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete 
> the e-mail
> and its attachments from all computers.
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gerald.young@xxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gerald.young@xxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gerald.young@xxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gerald.young@xxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
gerald.young@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial
• » RE: OWA HTTPS [Enterprise] Default rule Denial

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---