[isalist] Problem with outbound SSL traffic
- From: "Mayo, Bill" <bemayo@xxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 1 Feb 2008 10:16:53 -0500
I have started migrating staff to our new ISA 2006 servers for outbound
traffic and am seeing a problem. It appears that the problem comes up
when they go to a secure site. When I do live log tracking, I show that
the requests are failing because they failed to match any rules (and are
hitting the default deny rule). However, I have a rule that allows HTTP
and HTTPS traffic for these staff. In researching the problem, what I
have found is that the problem goes away if I set the rule to allow "all
content types". The rule was setup to disallow some contents types,
such as application. What is interesting is that even if I selecte
EVERY available content type, the traffic will still fail.
In troubleshooting, I have seen failures for types of ".js" and ".swf",
but I have ensured that they are included in an allowed file type at
this point. The 2 things that triggered the complaints was trying to
access Yahoo mail and Gmail. We also tried another secure site,
PayPal, to try and determine if it was every SSL site and that failed,
too. I don't know if it is default behavior or not, but in the failed
requests it shows the destination address as the ISA Server address
(External (10.100.199.11:443)) while request shows the site they are
trying to access (e.g. www.google.com:443). When I enable all content
types, the destination shows the actual site.
I am new to the logging feature and ISA 2006 (we are migrating from
version 2000--ouch), so I may be missing something entirely. We really
need to be able to disable average staff from downloading executables
and some media types (e.g. video), and I thought this was the right way
to approach it. Does anyone have any suggestion, comment, etc? I have
no doubt there is something I am doing wrong or missing, but I am not
sure where to go from here.
~~~~~~~~~~
Bill Mayo
Network Administrator
Pitt County MIS
Other related posts:
