RE: OWA HTTPS [Enterprise] Default rule Denial
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 19 Jan 2006 14:44:07 -0600
Hi Jerry,
Is the redirect the problem? If so, why not create Web Publishing Rule
allowing access to the redirect page?
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Thursday, January 19, 2006 2:06 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> Tom/Jim,
>
> Neither of you will probably like this, but this is what I did to deal
> with the redirect.
>
> In ISA on the OWA rule, I allowed "/" in the path. On the OWA server
> itself, I put in a default.asp page with a redirect to the /exchange
> path. I then updated the Documents tab on the OWA site so that
> default.asp was the only file in the list.
>
> For testing purposes, I stuck testhello.html (hello, world!)
> in the same
> root directory.
>
> ISA allows the root to pass back, at which point the default.asp
> redirect kicks in and redirects as designed. If I attempt to hit
> https://domain.com/testhello.html directly, ISA blocks it
> with the same
> 12202 error.
>
> Thoughts?
>
> Cordially yours,
> Jerry G. Young II
> MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete
> the e-mail
> and its attachments from all computers.
>
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Thursday, January 19, 2006 2:26 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> Tom,
>
> Thanks... I had just reviewed those. *8^)
>
> The / to /exchange\ worked but didn't. I get a user
> challenge (probably
> configuration on the OWA server itself).
>
> I got the protocol redirect taken care of. Now it's just the path. I
> lost where Jim was going with his last response.
>
> I have to base the redirection on a different ISA error.
> Mine is 12202,
> not 12217.
>
> If the error is 12202, doesn't that mean I create a file in the
> ErrorHtmls directory named 12202.htm and populate that file with the
> redirect? I'm not sure where the 12217 number came from. *8^( My
> apologies for my denseness here. *8^(
>
> Cordially yours,
> Jerry G. Young II
> MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete
> the e-mail
> and its attachments from all computers.
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Thursday, January 19, 2006 2:12 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
>
> http://www.ISAserver.org
>
> Hi Jerry,
>
> http://www.isaserver.org/tutorials/Redirecting-OWA-Users-Part1.html
>
> And
>
> http://www.isaserver.org/tutorials/Redirecting-OWA-Users-Part2.html
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> > Sent: Thursday, January 19, 2006 1:03 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> >
> > http://www.ISAserver.org
> >
> > Right... I get that but I thought the point of the redirect
> > below was to
> > be able to have a user redirected to
> > https://domain.com/exchange if they
> > hit https://domain.com?
> >
> > Is this behavior also different on ISA Server 2004 EE?
> > According to the
> > readme file in the archive, it states to put a "custom" error
> > page that
> > ISA should return to a user that redirects them to the proper URL.
> >
> > That is, I thought the following procedure would have solved the
> > problem.
> >
> > The error being returned is 12202. So...
> >
> > Create a 12202.htm file in the ErrorHtmls directory.
> > Using either Jscript or Meta Headers, redirect the client to
> > the proper
> > URL.
> > Restart the Firewall Service (since there isn't a Web Proxy
> service).
> >
> > Cordially yours,
> > Jerry G. Young II
> > MCSE (4.0/W2K)
> > Atlanta EES Implementation Team Lead
> > HHS Engineering
> > Unisys
> >
> > 11493 Sunset Hills Rd.
> > Reston, VA 20190
> > Office: 703-579-2727
> > Cell: 703-625-1468
> >
> > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> > PROPRIETARY
> > MATERIAL and is thus for use only by the intended recipient. If you
> > received this in error, please contact the sender and delete
> > the e-mail
> > and its attachments from all computers.
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Thursday, January 19, 2006 1:55 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> >
> > http://www.ISAserver.org
> >
> > Until your request matches the data in the rule, you'll
> > continue to get
> > that error.
> >
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> > Sent: Thursday, January 19, 2006 10:43
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> >
> > http://www.ISAserver.org
> >
> > Ooohkey, then. *8^)
> >
> > Back to the redirect you provided...
> >
> > The error being received was a 12202 error. Since there wasn't a
> > 12202.htm file in the ErrorHtmls directory, I created a new
> > file called
> > such, put the redirect in, updated the URL to point to where
> > I wanted it
> > to go and then restarted the firewall service.
> >
> > I'm still getting that 12202 error and the web proxy filter
> > is throwing
> > it. *8^(
> >
> > Ideas?
> >
> > Cordially yours,
> > Jerry G. Young II
> > MCSE (4.0/W2K)
> > Atlanta EES Implementation Team Lead
> > HHS Engineering
> > Unisys
> >
> > 11493 Sunset Hills Rd.
> > Reston, VA 20190
> > Office: 703-579-2727
> > Cell: 703-625-1468
> >
> > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> > PROPRIETARY
> > MATERIAL and is thus for use only by the intended recipient. If you
> > received this in error, please contact the sender and delete
> > the e-mail
> > and its attachments from all computers.
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Thursday, January 19, 2006 1:27 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> >
> > http://www.ISAserver.org
> >
> > ISA 2004 doesn't have a web proxy service; it's an
> > application filter in
> > the firewall service.
> > Thus, if you feel the need to cycle the web proxy, you have
> > to cycle the
> > firewall service.
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> > Sent: Thursday, January 19, 2006 10:21
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> >
> > http://www.ISAserver.org
> >
> > Thanks, Jim.
> >
> > Silly question, though. How do you restart the Web Proxy
> service when
> > it doesn't display in the Services tab of the Monitoring
> > node? I don't
> > even see W3Proxy.exe running as a process, although I do see a
> > W3Prefch.exe process (that related?).
> >
> > Cordially yours,
> > Jerry G. Young II
> > MCSE (4.0/W2K)
> > Atlanta EES Implementation Team Lead
> > HHS Engineering
> > Unisys
> >
> > 11493 Sunset Hills Rd.
> > Reston, VA 20190
> > Office: 703-579-2727
> > Cell: 703-625-1468
> >
> > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> > PROPRIETARY
> > MATERIAL and is thus for use only by the intended recipient. If you
> > received this in error, please contact the sender and delete
> > the e-mail
> > and its attachments from all computers.
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Thursday, January 19, 2006 12:44 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> >
> > http://www.ISAserver.org
> >
> > That's my point - you shouldn't allow "/*".
> > If you create rules using specific path limitations, don't test them
> > using other (empty, IOW) paths unless you're trying to validate ISA
> > blocking action (you did).
> >
> > If you're trying to support folks that forget to use
> /exchange in the
> > URL, take a look at http://isatools.org/isa_redirects.zip
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> > Sent: Thursday, January 19, 2006 09:30
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> >
> > http://www.ISAserver.org
> >
> > By default, when creating the rule using the wizard, the
> paths are set
> > to just the following. I have not changed these.
> >
> > /exchange/*
> > /exchweb/*
> > /public/*
> >
> > Should I add "/"? In the past, when I've attempted to add "/*" ISA
> > complains saying that that is the same as the others already
> > specified.
> >
> > Cordially yours,
> > Jerry G. Young II
> > MCSE (4.0/W2K)
> > Atlanta EES Implementation Team Lead
> > HHS Engineering
> > Unisys
> >
> > 11493 Sunset Hills Rd.
> > Reston, VA 20190
> > Office: 703-579-2727
> > Cell: 703-625-1468
> >
> > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> > PROPRIETARY
> > MATERIAL and is thus for use only by the intended recipient. If you
> > received this in error, please contact the sender and delete
> > the e-mail
> > and its attachments from all computers.
> >
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Thursday, January 19, 2006 12:23 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: OWA HTTPS [Enterprise] Default rule Denial
> >
> > http://www.ISAserver.org
> >
> > Does you rule include the "/" path?
> > My $.02 says "no".
> > My $M5 says it shouldn't, either.
> >
> > -------------------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> > Sent: Thursday, January 19, 2006 09:06
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] OWA HTTPS [Enterprise] Default rule Denial
> >
> > http://www.ISAserver.org
> >
> >
> > All,
> >
> > I'm having a problem with getting OWA working through ISA
> as expected.
> >
> > If I point the URL for OWA to https://domain.com/exchange
> > <https://domain.com/exchange> , a connection is made and
> the OWA page
> > displays. However, if I go to https://domain.com
> > <https://domain.com> ,
> > I consistently get denied connections due to the
> [Enterprise] Default
> > rule kicking in stating that the ISA server denied that
> URL. The URL
> > field in the logged event shows up as http://domain.com
> > <http://domain.com> instead of http://domain.com:443
> > <http://domain.com:443> . The same field when going to
> > https://domain.com/exchange <https://domain.com/exchange>
> shows up in
> > the logs as http://domain.com:443/exchange
> > <http://domain.com:443/exchange> .
> >
> > Anyone know what's causing this behavior?
> >
> > Since this is being logged by the Web Proxy Filter, I'm guessing
> > something related to that configuration but I'll be damned if I can
> > figure it out.
> >
> > Cordially yours,
> >
> > Jerry G. Young II
> >
> > MCSE (4.0/W2K)
> >
> > Atlanta EES Implementation Team Lead
> >
> > HHS Engineering
> >
> > Unisys
> >
> >
> >
> > 11493 Sunset Hills Rd.
> >
> > Reston, VA 20190
> >
> > Office: 703-579-2727
> >
> > Cell: 703-625-1468
> >
> > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> > PROPRIETARY
> > MATERIAL and is thus for use only by the intended recipient. If you
> > received this in error, please contact the sender and delete
> > the e-mail
> > and its attachments from all computers.
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > gerald.young@xxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > gerald.young@xxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > gerald.young@xxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > jim@xxxxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > gerald.young@xxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gerald.young@xxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> gerald.young@xxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
