[isalist] Re: Problem with outbound SSL traffic
- From: "Mayo, Bill" <bemayo@xxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Fri, 1 Feb 2008 10:41:35 -0500
Tom, that definitely helps. I did try doing a search to see if it was a
known thing, but my Google-Fu must have been weak. Thanks very much for
the quick and excellent help!
Bill
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Friday, February 01, 2008 10:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Problem with outbound SSL traffic
Hi Bill,
This is normal and expected behavior. If you try to control by content
type, the SSL connections will fail, since the content type is hidden
inside the SSL tunnel. If you want this kind of control, you need to
enable outbound SSL bridging using ClearTunnel by Collective Software
www.collectivesoftware.com
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill
Sent: Friday, February 01, 2008 9:17 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Problem with outbound SSL traffic
I have started migrating staff to our new ISA 2006 servers for
outbound traffic and am seeing a problem. It appears that the problem
comes up when they go to a secure site. When I do live log tracking, I
show that the requests are failing because they failed to match any
rules (and are hitting the default deny rule). However, I have a rule
that allows HTTP and HTTPS traffic for these staff. In researching the
problem, what I have found is that the problem goes away if I set the
rule to allow "all content types". The rule was setup to disallow some
contents types, such as application. What is interesting is that even
if I selecte EVERY available content type, the traffic will still fail.
In troubleshooting, I have seen failures for types of ".js" and
".swf", but I have ensured that they are included in an allowed file
type at this point. The 2 things that triggered the complaints was
trying to access Yahoo mail and Gmail. We also tried another secure
site, PayPal, to try and determine if it was every SSL site and that
failed, too. I don't know if it is default behavior or not, but in the
failed requests it shows the destination address as the ISA Server
address (External (10.100.199.11:443)) while request shows the site they
are trying to access (e.g. www.google.com:443 <www.google.com:443> ).
When I enable all content types, the destination shows the actual site.
I am new to the logging feature and ISA 2006 (we are migrating
from version 2000--ouch), so I may be missing something entirely. We
really need to be able to disable average staff from downloading
executables and some media types (e.g. video), and I thought this was
the right way to approach it. Does anyone have any suggestion, comment,
etc? I have no doubt there is something I am doing wrong or missing,
but I am not sure where to go from here.
~~~~~~~~~~
Bill Mayo
Network Administrator
Pitt County MIS
Other related posts:
