[isalist] Re: Publishing in ISA2006
- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 31 Jan 2007 10:23:43 -0800
I¹ve been swamped with another project, but are you sure you¹ve not created
rules requiring client authentication over ssl from the outside? Are you
just trying to publish a site over SSL?
t
On 1/31/07 9:11 AM, "Ball, Dan" <DBall@xxxxxxxxxxx> spoketh to all:
> I¹m publishing two separate webservers right now and they are both having the
> same problem, and both are reachable from the Intranet with no SSL required.
>
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
> Behalf Of Roy Tsao
> Sent: Wednesday, January 31, 2007 8:59 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Publishing in ISA2006
>
>
> - You may create another test webserver
>
> - Use your exising publishing rule to publish that new test site
>
> I am still wondering the configuration at your web server side.
>>
>> ----- Original Message -----
>>
>> From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
>>
>> To: isalist@xxxxxxxxxxxxx
>>
>> Sent: Wednesday, January 31, 2007 8:57 PM
>>
>> Subject: [isalist] Re: Publishing in ISA2006
>>
>>
>> Okay, I worked on it for quite awhile, cleaned up rules and removed defined
>> protocols that weren¹t in use anymore, and still get the error? I was able
>> to possibly identify the cause of the previous log though, and bring it down
>> to three log entries that occur every time I attempt to access the website
>> when the redirect to HTTPS is disabled.
>>
>> Original Client IP Client Agent Authenticated Client
>> Service Server Name Referring Server Destination Host Name Transport
>> MIME Type Object Source Source Proxy Destination Proxy
>> Bidirectional Client Host Name Filter Information Network
>> Interface Raw IP Header Raw Payload GMT Log Time Source Port
>> Processing Time Bytes Sent Bytes Received Result Code
>> HTTP Status Code Cache Information Error Information
>> Log Record Type Authentication Server Log Time
>> Destination IP Destination Port Protocol Action Rule
>> Client IP Client Username Source Network Destination
>> Network HTTP Method URL
>> 0.0.0.0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR
>> 2.0.50727; .NET CLR 3.0.04506; MAPSIE; InfoPath.2; MAPSIE) Yes
>> Reverse Proxy GATEWAY www.mapsnet.org TCP
>> - - - Req ID: 13fae90a -
>> - - 1/31/2007 3:18:58 AM 0 1 2293
>> 392 12241 The page must be viewed over a secure channel
>> (Secure Sockets Layer (SSL)). Contact the server administrator. 0x0
>> 0x0 Web Proxy Filter 1/30/2007 10:18:58 PM
>> 24.213.58.250 80 http Failed Connection Attempt
>> Web Server 75.128.225.6 anonymous External
>> GET http://www.mapsnet.org/
>> 75.128.225.6 GATEWAY -
>> TCP -
>> - 1/31/2007 3:18:58 AM 51603
>> 12000 644 2505 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
>> 0x0 0x0 Firewall - 1/30/2007 10:18:58 PM 24.213.58.250
>> 80 HTTP Closed Connection 75.128.225.6
>> External Local Host - -
>> 75.128.225.6 GATEWAY -
>> TCP -
>> - 1/31/2007 3:18:58 AM 51604
>> 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0
>> Firewall - 1/30/2007 10:18:58 PM 24.213.58.250 80 HTTP
>> Initiated Connection 75.128.225.6 External
>> Local Host - -
>>
>>
>>
>>
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Ball, Dan
>> Sent: Tuesday, January 30, 2007 1:20 PM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: Publishing in ISA2006
>>
>> No, that¹s the whole point; it¹s not supposed to authenticate incoming
>> connections! *grin*
>>
>> Reviewing the logs further, I¹m starting to get even more confused? The
>> ³SERVERNAME² portion refers to my PDC, but the IP associated with it in each
>> request changes from my ISA server to the webserver. Initially, I was
>> looking at the webserver as a possible culprit, but the more I look at it I¹m
>> starting to look at the ISA server instead.
>>
>> I¹ll test it some more tonight if I can, disabling a couple of suspect rules
>> (and SurfControl) as a test to see if they might be the culprit.
>>
>>
>>
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Steve Moffat
>> Sent: Tuesday, January 30, 2007 1:05 PM
>> To: ISA Mailing List
>> Subject: [isalist] Re: Publishing in ISA2006
>>
>> You are authenticating incoming clients??
>>
>> Against what?
>>
>> S
>>
>>
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Ball, Dan
>> Sent: Tuesday, January 30, 2007 11:15 AM
>> To: ISA Mailing List
>> Subject: [isalist] Re: Publishing in ISA2006
>>
>> Okay, now we¹re getting somewhere? I didn¹t see anything sticking out, so I
>> started looking for other events around the same timeframe. I ran across
>> several WEBDAV entries that repeated themselves about the same timeframe, AND
>> they contained the same text I saw in IE?
>>
>>
>> Original Client IP Client Agent Authenticated Client
>> Service Server Name Referring Server Destination Host Name Transport
>> MIME Type Object Source Source Proxy Destination Proxy
>> Bidirectional Client Host Name Filter Information Network
>> Interface Raw IP Header Raw Payload GMT Log Time Source Port
>> Processing Time Bytes Sent Bytes Received Result Code
>> HTTP Status Code Cache Information Error Information
>> Log Record Type Authentication Server Log Time
>> Destination IP Destination Port Protocol Action Rule
>> Client IP Client Username Source Network Destination
>> Network HTTP Method URL
>> 0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy
>> GATEWAY - SERVERNAME TCP -
>> Req ID: 13da6168 1/29/2007
>> 2:33:07 AM 0 1 141 146 12241 The
>> page must be viewed over a secure channel (Secure Sockets Layer (SSL)).
>> Contact the server administrator. 0x0 0x0 Web Proxy
>> Filter - 1/28/2007 9:33:07 PM 24.213.58.250
>> 80 http Failed Connection Attempt Web Server
>> 75.128.225.6 anonymous External - OPTIONS
>> http://SERVERNAME/
>> 0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy
>> GATEWAY - servername TCP - Internet
>> Req ID: 13da616a 1/29/2007
>> 2:33:07 AM 0 16 430 146 200
>> 0x40020000 0xc00 Web Proxy Filter - 1/28/2007
>> 9:33:07 PM 10.20.1.4 80 https Allowed Connection
>> Web Server 75.128.225.6 anonymous External -
>> OPTIONS http://servername/
>> 0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy
>> GATEWAY - SERVERNAME TCP -
>> Req ID: 13da616c 1/29/2007
>> 2:33:07 AM 0 1 152 168 12241 The
>> page must be viewed over a secure channel (Secure Sockets Layer (SSL)).
>> Contact the server administrator. 0x0 0x0 Web Proxy
>> Filter - 1/28/2007 9:33:07 PM 24.213.58.250
>> 80 http Failed Connection Attempt Web Server
>> 75.128.225.6 anonymous External - PROPFIND
>> http://SERVERNAME/Hiddenshare$ <http://technology/Technology$>
>>
>> Looks like there is a request to my PDC every time, and it is being blocked
>> because it is an anonymous outbound connection on port 80. That explains why
>> I¹m getting the errors, now to figure out why it is doing that.
>>
>>
>>
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Steve Moffat
>> Sent: Tuesday, January 30, 2007 8:09 AM
>> To: ISA Mailing List
>> Subject: [isalist] Re: Publishing in ISA2006
>>
>> What do the ISA logs say??
>> S
>>
>>
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Ball, Dan
>> Sent: Tuesday, January 30, 2007 9:00 AM
>> To: ISA Mailing List
>> Subject: [isalist] Re: Publishing in ISA2006
>>
>> Webserver is on internal network; no SSL required at the webserver itself
>> (Just tested it again to make sure).
>>
>>
>>
>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>> Behalf Of Roy Tsao
>> Sent: Tuesday, January 30, 2007 12:40 AM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] Re: Publishing in ISA2006
>>
>>
>> The website you published is SSL required, so
>>
>> - when you publish through HTTP connection, access is denied
>>
>> - when you redirect to HTTPs by ISA, it works.
>>
>> Then, you may need to check any changing at your published web server but
>>
>> not ISA.
>>
>>
>>
>>
>>
>>
>>>
>>> ----- Original Message -----
>>>
>>> From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
>>>
>>> To: isalist@xxxxxxxxxxxxx
>>>
>>> Sent: Tuesday, January 30, 2007 1:13 PM
>>>
>>> Subject: [isalist] Re: Publishing in ISA2006
>>>
>>>
>>> Here is the scenario:
>>> - I remove all publishing rules and web listeners, so I can start over.
>>> - I go through the wizard to publish a single webserver. I take all the
>>> defaults, saying no SSL is required.
>>> - When it gets to the part about a web listener, I create a new one, taking
>>> the default settings and specifying no SSL or authentication is required.
>>> - The rule is done; I apply the changes, and test it. I get a 403 error.
>>> - I edit the listener to redirect traffic to HTTPS, and it works.
>>>
>>> There must be something simple I missed?
>>>
>>>
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Jim Harrison
>>> Sent: Monday, January 29, 2007 11:48 PM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: Publishing in ISA2006
>>>
>>> The rule works with the related listener.
>>> You cannot evaluate one without including the other period.
>>> The listener; not the rule is what determines if HTTP/HTTPS redirection is
>>> possible.
>>> If the listener doesn¹t accept HTTP, then it can¹t redirect it to HTTPS.
>>> You¹re not trying to publish a stealth service, are you?
>>>
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Ball, Dan
>>> Sent: Monday, January 29, 2007 10:51 AM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: Publishing in ISA2006
>>>
>>> Not Exchange traffic, but the main web server. They both use the same
>>> listener, so it makes it difficult to modify one but not the other. Once I
>>> got the webserver working, I was planning on taking Tom¹s suggestion that he
>>> had awhile back and using a redirect page to redirect OWA calls to an
>>> alternate port/listener.
>>>
>>> In any case, in this particular instance I¹m referring to normal web traffic
>>> that I want in plain-text. Correct me if I¹m wrong, but I was under the
>>> assumption that if the publishing rule was not working ³non-SSL², then both
>>> the ³authenticated traffic² and ³all traffic² options would behave the same
>>> way. I.e., they would both return an error if the client wasn¹t capable of
>>> the connection.
>>>
>>>
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Jim Harrison
>>> Sent: Monday, January 29, 2007 11:57 AM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: Publishing in ISA2006
>>>
>>> You never had ISA 2004 doing the redirects without custom code.
>>> It did not have this option.
>>>
>>> Let¹s get this straight you want to publish plain-text Exchange web
>>> traffic?!?
>>> Also; ³Redirect authenticated traffic from HTTP to HTTPS² option in the web
>>> listener. This works because it redirects all web traffic to HTTPS² is
>>> incorrect; that setting only redirects traffic which has already been
>>> authenticated probably why only some requests are working. Change it to
>>> redirect ³ALL² requests.
>>>
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Ball, Dan
>>> Sent: Monday, January 29, 2007 8:04 AM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: Publishing in ISA2006
>>>
>>> Nope, same server, and ISA_Redirects have never been used on that server. I
>>> used to publish the website without requiring SSL, now that is the only way
>>> I can get it to work. In fact, I used the ³connections² tab in the listener
>>> to force everything over to HTTPS, just to get it working. I just can¹t
>>> figure out how to get it publish ³without² SSL, as there seem to be some
>>> browsers that have a problem with that method. While I¹d like to tell them
>>> to fix their own system and get over it, that won¹t fly with a ³public²
>>> website.
>>>
>>> Where can I start looking for clues on this problem?
>>>
>>>
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Jim Harrison
>>> Sent: Monday, January 29, 2007 9:29 AM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: Publishing in ISA2006
>>>
>>>
>>> That error response can only be obtained when web publishing.
>>> IIS response is quite different.
>>> You probably were using the ISA_Redirects tool or something similar and
>>> forgot to move it to the new server.
>>> The good news is that in ISA 2006, such custom mechanisms aren¹t required.
>>> In the listener ³Connections² tab, you can opt to redirect anonymous or
>>> authenticated HTTP connections to HTTPS.
>>>
>>>
>>> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
>>> Behalf Of Roy Tsao
>>> Sent: Monday, January 29, 2007 1:18 AM
>>> To: isalist@xxxxxxxxxxxxx
>>> Subject: [isalist] Re: Publishing in ISA2006
>>>
>>>
>>> Original publishing is SSL bridge or tunneling?
>>>>
>>>> ----- Original Message -----
>>>>
>>>> From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
>>>>
>>>> To: isalist@xxxxxxxxxxxxx
>>>>
>>>> Sent: Monday, January 29, 2007 10:40 AM
>>>>
>>>> Subject: [isalist] Publishing in ISA2006
>>>>
>>>>
>>>> When I upgraded ISA2004 to ISA2006, my published webserver and Exchange
>>>> server no longer worked.
>>>>
>>>> Browsing to the website gave me this error:
>>>> Error Code: 403 Forbidden. The page must be viewed over a secure channel
>>>> (Secure Sockets Layer (SSL)). Contact the server administrator. (12241)
>>>>
>>>> Typing https:// into the URL allowed the traffic to flow.
>>>>
>>>> The only way I could get it to work was to enable the ³Redirect
>>>> authenticated traffic from HTTP to HTTPS² option in the web listener. This
>>>> works because it redirects all web traffic to HTTPS. However, it doesn¹t
>>>> work for all pages, we have a few pages that have problems, and have had
>>>> reports from some people that cannot access the website at all.
>>>>
>>>> So, I need to get this working properly again. I¹ve deleted all of the
>>>> publishing rules and the web listener several times, recreating everything
>>>> from scratch; it still gives me the same error. I¹ve followed every
>>>> tutorial I could find, it appears that I¹m doing it correctly. There must
>>>> be some little detail that I¹m missing with ISA2006. Probably something
>>>> obvious, but it is eluding me?
>>>>
>>>> Anyone have any ideas?
>>> All mail to and from this domain is GFI-scanned.
>>> All mail to and from this domain is GFI-scanned.
>>> All mail to and from this domain is GFI-scanned.
>
Other related posts:
