RE: Please help before i have no hair left (more Info)
- From: "Stephen Herrera" <sherrera@xxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 24 Jan 2003 12:55:59 -0800
I kept banging away at this and got some interesting findings. I published
port 443 to the internal server using server publishing rules. When I did
this I could see 443 traffic between the Web/app server and the ISA server
in the firewall logs. The operation was listed as BIND so traffic was still
not getting all the way out. I then turned off SSL listeners on the ISA
server. After that the app works! I was excited but then a few thoughts came
to mind. Without the SSL listeners enabled, is the traffic going to be
encrypted still? Or have I just bypassed my encryption by opening the port
rather that just allowing SSL listeners to handle the traffic.
Steve
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, January 23, 2003 4:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Please help before i have no hair left
http://www.ISAserver.org
Hi Steve,
Sounds similar to the old OWA problem. The client established an SSL
connection with the Incoming Web Requests listener, but then the OWA
site returned links that were HTTP. That didn't work since the user
needed to connect to the Incoming Web Requests listener via HTTPS, not
HTTP. You might want to investigate the Link Translator included in the
Feature Pack 1 and see if that will help, or better, fix your app so
that they establish an SSL connection from the start and don't bounce
between secure and insecure.
HTH,
Tom
www.isaserver.org/shinder
-----Original Message-----
From: Stephen Herrera [mailto:sherrera@xxxxxxxxxx]
Sent: Thursday, January 23, 2003 4:54 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Please help before i have no hair left
http://www.ISAserver.org
I am installing WebDemo on a web server in my DMZ. I have a back to back
ISA
environment. The website for WebDemo is accessed on port 80 and the
website
passes you to port 443 for the application when you start it.
For my LAN I have made a DNS entry that points to the internal IP of the
web
server when LAN clients go to www.myapp.com so they go straight to the
server. I have a port listener on the web server and can see port 80
being
hit when they view the website and then port 443 when the use the
application.
For outside clients I have followed the "Configuring SSL Bridging"
tutorial
to setup the web server and publish the website. I have made sure that
when
I ping www.myapp.com from the external ISA server the internal IP is
returned. When I try from the outside I see port 80 being hit when I
access
the website but the pass to port 443 never happens.
On the ISA server packet filter logs I see the external client
requesting
port 443 and I see the publish IP passing traffic back to external
client
but the traffic never gets to the web server.
To test to make sure I have the SSL setup correctly I have stopped the
services of the application so they would not use port 443 and changed
the
properties of the website to only accept SSL. When I do this I am able
to
access the website both from the outside and from the inside so I know
it is
setup correctly. I don't know why ISA will not the website pass the
client
off to the application on 443. Also, I can run the app from the outside
firewall itself. Any thoughts on this?
steve
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sherrera@xxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
