[isalist] Re: Publishing in ISA2006

  • From: "Ball, Dan" <DBall@xxxxxxxxxxx>
  • To: "Ball, Dan" <DBall@xxxxxxxxxxx>, <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 31 Jan 2007 12:05:43 -0500

So, does anyone have a clue of what to look at next?  The logs tell me
that the connection request comes in, uses the correct web publishing
rule, and then it fails with "Failed Connection Attempt" (12241 SSL
required error), and that's about it...

 

I cannot find anything in the firewall policies that says SSL is
required, and have rebuilt the publishing rules many times.

 

________________________________

From: Ball, Dan 
Sent: Tuesday, January 30, 2007 11:21 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: RE: [isalist] Re: Publishing in ISA2006

 

Okay, I worked on it for quite awhile, cleaned up rules and removed
defined protocols that weren't in use anymore, and still get the
error...  I was able to possibly identify the cause of the previous log
though, and bring it down to three log entries that occur every time I
attempt to access the website when the redirect to HTTPS is disabled.

 

Original Client IP            Client Agent      Authenticated Client
Service  Server Name      Referring Server Destination Host Name
Transport           MIME Type        Object Source   Source Proxy
Destination Proxy          Bidirectional      Client Host Name    Filter
Information            Network Interface           Raw IP Header   Raw
Payload     GMT Log Time   Source Port            Processing Time
Bytes Sent        Bytes Received  Result Code      HTTP Status Code
Cache Information            Error Information            Log Record
Type            Authentication Server     Log Time           Destination
IP    Destination Port      Protocol            Action   Rule
Client IP            Client Username            Source Network
Destination Network            HTTP Method    URL

0.0.0.0  Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET
CLR 2.0.50727; .NET CLR 3.0.04506; MAPSIE; InfoPath.2; MAPSIE)      Yes
Reverse Proxy   GATEWAY                    www.mapsnet.org          TCP
-            -                       -           Req ID: 13fae90a
-           -           -           1/31/2007 3:18:58 AM    0          1
2293            392                   12241 The page must be viewed over
a secure channel (Secure Sockets Layer (SSL)). Contact the server
administrator.       0x0       0x0       Web Proxy Filter
1/30/2007 10:18:58 PM  24.213.58.250    80         http
Failed Connection Attempt          Web Server       75.128.225.6
anonymous       External                        GET
http://www.mapsnet.org/

75.128.225.6                                         GATEWAY        -
TCP      -
-                                               1/31/2007 3:18:58 AM
51603   12000   644       2505     0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
0x0       0x0       Firewall -           1/30/2007 10:18:58 PM
24.213.58.250    80            HTTP    Closed Connection
75.128.225.6                 External            Local Host         -
-

75.128.225.6                                         GATEWAY        -
TCP      -
-                                               1/31/2007 3:18:58 AM
51604   0          0          0          0x0 ERROR_SUCCESS
0x0       0x0       Firewall -           1/30/2007 10:18:58 PM
24.213.58.250    80         HTTP    Initiated Connection
75.128.225.6                 External            Local Host         -
-

 

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 1:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

No, that's the whole point; it's not supposed to authenticate incoming
connections! *grin* 

 

Reviewing the logs further, I'm starting to get even more confused...
The "SERVERNAME" portion refers to my PDC, but the IP associated with it
in each request changes from my ISA server to the webserver.  Initially,
I was looking at the webserver as a possible culprit, but the more I
look at it I'm starting to look at the ISA server instead.

 

I'll test it some more tonight if I can, disabling a couple of suspect
rules (and SurfControl) as a test to see if they might be the culprit.

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 1:05 PM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006

 

You are authenticating incoming clients??

 

Against what?

 

S

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 11:15 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006

 

Okay, now we're getting somewhere...  I didn't see anything sticking
out, so I started looking for other events around the same timeframe.  I
ran across several WEBDAV entries that repeated themselves about the
same timeframe, AND they contained the same text I saw in IE...

 

 

Original Client IP            Client Agent      Authenticated Client
Service  Server Name      Referring Server Destination Host Name
Transport           MIME Type        Object Source   Source Proxy
Destination Proxy          Bidirectional      Client Host Name    Filter
Information            Network Interface           Raw IP Header   Raw
Payload     GMT Log Time   Source Port            Processing Time
Bytes Sent        Bytes Received  Result Code      HTTP Status Code
Cache Information            Error Information            Log Record
Type            Authentication Server     Log Time           Destination
IP    Destination Port      Protocol            Action   Rule
Client IP            Client Username            Source Network
Destination Network            HTTP Method    URL

0.0.0.0  Microsoft-WebDAV-MiniRedir/6.0.6000                Reverse
Proxy   GATEWAY        -           SERVERNAME TCP      -
Req ID: 13da6168                                              1/29/2007
2:33:07 AM    0            1          141       146
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator.             0x0
0x0       Web Proxy Filter            -           1/28/2007 9:33:07 PM
24.213.58.250    80         http       Failed Connection Attempt
Web Server       75.128.225.6     anonymous            External
-           OPTIONS          http://SERVERNAME/

0.0.0.0  Microsoft-WebDAV-MiniRedir/6.0.6000                Reverse
Proxy   GATEWAY        -           servername        TCP      -
Internet                                                 Req ID:
13da616a                                              1/29/2007 2:33:07
AM    0            16         430       146                   200
0x40020000       0xc00   Web Proxy Filter            -
1/28/2007 9:33:07 PM       10.20.1.4           80         https
Allowed Connection        Web Server       75.128.225.6     anonymous
External            -           OPTIONS          http://servername/

0.0.0.0  Microsoft-WebDAV-MiniRedir/6.0.6000                Reverse
Proxy   GATEWAY        -           SERVERNAME TCP      -
Req ID: 13da616c                                              1/29/2007
2:33:07 AM    0            1          152       168
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator.             0x0
0x0       Web Proxy Filter            -           1/28/2007 9:33:07 PM
24.213.58.250    80         http       Failed Connection Attempt
Web Server       75.128.225.6     anonymous            External
-           PROPFIND        http://SERVERNAME/Hiddenshare$
<http://technology/Technology$> 

 

Looks like there is a request to my PDC every time, and it is being
blocked because it is an anonymous outbound connection on port 80.  That
explains why I'm getting the errors, now to figure out why it is doing
that.

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 8:09 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006

 

What do the ISA logs say??

S

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 9:00 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006

 

Webserver is on internal network; no SSL required at the webserver
itself (Just tested it again to make sure).

 

________________________________

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Roy Tsao
Sent: Tuesday, January 30, 2007 12:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006

 

The website you published is SSL required, so

- when you publish through HTTP connection, access is denied

- when you redirect to HTTPs by ISA, it works.

Then, you may need to check any changing at your published web server
but

not ISA.

 

 

 

        ----- Original Message ----- 

        From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>  

        To: isalist@xxxxxxxxxxxxx 

        Sent: Tuesday, January 30, 2007 1:13 PM

        Subject: [isalist] Re: Publishing in ISA2006

         

        Here is the scenario:

        - I remove all publishing rules and web listeners, so I can
start over.

        - I go through the wizard to publish a single webserver.  I take
all the defaults, saying no SSL is required.

        - When it gets to the part about a web listener, I create a new
one, taking the default settings and specifying no SSL or authentication
is required.

        - The rule is done; I apply the changes, and test it.  I get a
403 error.

        - I edit the listener to redirect traffic to HTTPS, and it
works.

         

        There must be something simple I missed...

         

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Monday, January 29, 2007 11:48 PM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        The rule works with the related listener.

        You cannot evaluate one without including the other - period.

        The listener; not the rule is what determines if HTTP/HTTPS
redirection is possible.

        If the listener doesn't accept HTTP, then it can't redirect it
to HTTPS.

        You're not trying to publish a stealth service, are you?

         

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
        Sent: Monday, January 29, 2007 10:51 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        Not Exchange traffic, but the main web server.  They both use
the same listener, so it makes it difficult to modify one but not the
other.  Once I got the webserver working, I was planning on taking Tom's
suggestion that he had awhile back and using a redirect page to redirect
OWA calls to an alternate port/listener.

         

        In any case, in this particular instance I'm referring to normal
web traffic that I want in plain-text.  Correct me if I'm wrong, but I
was under the assumption that if the publishing rule was not working
"non-SSL", then both the "authenticated traffic" and "all traffic"
options would behave the same way.  I.e., they would both return an
error if the client wasn't capable of the connection.  

         

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Monday, January 29, 2007 11:57 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        You never had ISA 2004 doing the redirects without custom code.

        It did not have this option.

         

        Let's get this straight - you want to publish plain-text
Exchange web traffic?!?

        Also; "Redirect authenticated traffic from HTTP to HTTPS" option
in the web listener.  This works because it redirects all web traffic to
HTTPS" is incorrect; that setting only redirects traffic which has
already been authenticated - probably why only some requests are
working.  Change it to redirect "ALL" requests.

         

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
        Sent: Monday, January 29, 2007 8:04 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        Nope, same server, and ISA_Redirects have never been used on
that server.  I used to publish the website without requiring SSL, now
that is the only way I can get it to work.  In fact, I used the
"connections" tab in the listener to force everything over to HTTPS,
just to get it working.  I just can't figure out how to get it publish
"without" SSL, as there seem to be some browsers that have a problem
with that method.  While I'd like to tell them to fix their own system
and get over it, that won't fly with a "public" website.  

         

        Where can I start looking for clues on this problem?

         

        
________________________________


        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
        Sent: Monday, January 29, 2007 9:29 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        That error response can only be obtained when web publishing.

        IIS response is quite different.

        You probably were using the ISA_Redirects tool or something
similar and forgot to move it to the new server.

        The good news is that in ISA 2006, such custom mechanisms aren't
required.

        In the listener "Connections" tab, you can opt to redirect
anonymous or authenticated HTTP connections to HTTPS.

         

        From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
        Sent: Monday, January 29, 2007 1:18 AM
        To: isalist@xxxxxxxxxxxxx
        Subject: [isalist] Re: Publishing in ISA2006

         

        Original publishing is SSL bridge or tunneling?

                ----- Original Message ----- 

                From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>  

                To: isalist@xxxxxxxxxxxxx 

                Sent: Monday, January 29, 2007 10:40 AM

                Subject: [isalist] Publishing in ISA2006

                 

                When I upgraded ISA2004 to ISA2006, my published
webserver and Exchange server no longer worked.  

                 

                Browsing to the website gave me this error:

                Error Code: 403 Forbidden. The page must be viewed over
a secure channel (Secure Sockets Layer (SSL)). Contact the server
administrator. (12241)

                 

                Typing https:// into the URL allowed the traffic to
flow.

                 

                The only way I could get it to work was to enable the
"Redirect authenticated traffic from HTTP to HTTPS" option in the web
listener.  This works because it redirects all web traffic to HTTPS.
However, it doesn't work for all pages, we have a few pages that have
problems, and have had reports from some people that cannot access the
website at all.

                 

                So, I need to get this working properly again.  I've
deleted all of the publishing rules and the web listener several times,
recreating everything from scratch; it still gives me the same error.
I've followed every tutorial I could find, it appears that I'm doing it
correctly.  There must be some little detail that I'm missing with
ISA2006.  Probably something obvious, but it is eluding me...

                 

                Anyone have any ideas?

        All mail to and from this domain is GFI-scanned.

        All mail to and from this domain is GFI-scanned.

        All mail to and from this domain is GFI-scanned.

Other related posts: