[isalist] Re: Publishing in ISA2006
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 31 Jan 2007 14:35:15 -0500
Not that I know of. I do not need SSL on that rule at all, and haven't
knowingly done that.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, January 31, 2007 1:24 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
I've been swamped with another project, but are you sure you've not
created rules requiring client authentication over ssl from the outside?
Are you just trying to publish a site over SSL?
t
On 1/31/07 9:11 AM, "Ball, Dan" <DBall@xxxxxxxxxxx> spoketh to all:
I'm publishing two separate webservers right now and they are both
having the same problem, and both are reachable from the Intranet with
no SSL required.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Roy Tsao
Sent: Wednesday, January 31, 2007 8:59 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
- You may create another test webserver
- Use your exising publishing rule to publish that new test site
I am still wondering the configuration at your web server side.
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
<mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Wednesday, January 31, 2007 8:57 PM
Subject: [isalist] Re: Publishing in ISA2006
Okay, I worked on it for quite awhile, cleaned up rules and
removed defined protocols that weren't in use anymore, and still get the
error... I was able to possibly identify the cause of the previous log
though, and bring it down to three log entries that occur every time I
attempt to access the website when the redirect to HTTPS is disabled.
Original Client IP Client Agent Authenticated
Client Service Server Name Referring Server Destination Host
Name Transport MIME Type Object Source Source Proxy
Destination Proxy Bidirectional Client Host Name Filter
Information Network Interface Raw IP Header Raw
Payload GMT Log Time Source Port Processing Time
Bytes Sent Bytes Received Result Code HTTP Status Code
Cache Information Error Information Log Record Type
Authentication Server Log Time Destination IP
Destination Port Protocol Action Rule Client IP
Client Username Source Network Destination Network
HTTP Method URL
0.0.0.0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0;
SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; MAPSIE; InfoPath.2;
MAPSIE) Yes Reverse Proxy GATEWAY
www.mapsnet.org TCP - -
- Req ID: 13fae90a - - -
1/31/2007 3:18:58 AM 0 1 2293 392
12241 The page must be viewed over a secure channel (Secure Sockets
Layer (SSL)). Contact the server administrator. 0x0 0x0
Web Proxy Filter 1/30/2007 10:18:58 PM
24.213.58.250 80 http Failed Connection Attempt
Web Server 75.128.225.6 anonymous External
GET http://www.mapsnet.org/
75.128.225.6 GATEWAY
- TCP -
- 1/31/2007 3:18:58 AM
51603 12000 644 2505 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
0x0 0x0 Firewall - 1/30/2007 10:18:58 PM
24.213.58.250 80 HTTP Closed Connection
75.128.225.6 External Local Host -
-
75.128.225.6 GATEWAY
- TCP -
- 1/31/2007 3:18:58 AM
51604 0 0 0 0x0 ERROR_SUCCESS 0x0
0x0 Firewall - 1/30/2007 10:18:58 PM 24.213.58.250 80
HTTP Initiated Connection 75.128.225.6
External Local Host - -
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 1:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
No, that's the whole point; it's not supposed to authenticate
incoming connections! *grin*
Reviewing the logs further, I'm starting to get even more
confused... The "SERVERNAME" portion refers to my PDC, but the IP
associated with it in each request changes from my ISA server to the
webserver. Initially, I was looking at the webserver as a possible
culprit, but the more I look at it I'm starting to look at the ISA
server instead.
I'll test it some more tonight if I can, disabling a couple of
suspect rules (and SurfControl) as a test to see if they might be the
culprit.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 1:05 PM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
You are authenticating incoming clients??
Against what?
S
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 11:15 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
Okay, now we're getting somewhere... I didn't see anything
sticking out, so I started looking for other events around the same
timeframe. I ran across several WEBDAV entries that repeated themselves
about the same timeframe, AND they contained the same text I saw in
IE...
Original Client IP Client Agent Authenticated
Client Service Server Name Referring Server Destination Host
Name Transport MIME Type Object Source Source Proxy
Destination Proxy Bidirectional Client Host Name Filter
Information Network Interface Raw IP Header Raw
Payload GMT Log Time Source Port Processing Time
Bytes Sent Bytes Received Result Code HTTP Status Code
Cache Information Error Information Log Record Type
Authentication Server Log Time Destination IP
Destination Port Protocol Action Rule Client IP
Client Username Source Network Destination Network
HTTP Method URL
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000
Reverse Proxy GATEWAY - SERVERNAME TCP -
Req ID: 13da6168 1/29/2007
2:33:07 AM 0 1 141 146 12241
The page must be viewed over a secure channel (Secure Sockets Layer
(SSL)). Contact the server administrator. 0x0 0x0
Web Proxy Filter - 1/28/2007 9:33:07 PM
24.213.58.250 80 http Failed Connection Attempt
Web Server 75.128.225.6 anonymous External
- OPTIONS http://SERVERNAME/
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000
Reverse Proxy GATEWAY - servername TCP -
Internet Req ID: 13da616a
1/29/2007 2:33:07 AM 0 16 430 146
200 0x40020000 0xc00 Web Proxy Filter -
1/28/2007 9:33:07 PM 10.20.1.4 80 https
Allowed Connection Web Server 75.128.225.6 anonymous
External - OPTIONS http://servername/
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000
Reverse Proxy GATEWAY - SERVERNAME TCP -
Req ID: 13da616c 1/29/2007
2:33:07 AM 0 1 152 168 12241
The page must be viewed over a secure channel (Secure Sockets Layer
(SSL)). Contact the server administrator. 0x0 0x0
Web Proxy Filter - 1/28/2007 9:33:07 PM
24.213.58.250 80 http Failed Connection Attempt
Web Server 75.128.225.6 anonymous External -
PROPFIND http://SERVERNAME/Hiddenshare$
<http://technology/Technology$> <http://technology/Technology$>
Looks like there is a request to my PDC every time, and it is
being blocked because it is an anonymous outbound connection on port 80.
That explains why I'm getting the errors, now to figure out why it is
doing that.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 8:09 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
What do the ISA logs say??
S
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 9:00 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
Webserver is on internal network; no SSL required at the
webserver itself (Just tested it again to make sure).
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Roy Tsao
Sent: Tuesday, January 30, 2007 12:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The website you published is SSL required, so
- when you publish through HTTP connection, access is denied
- when you redirect to HTTPs by ISA, it works.
Then, you may need to check any changing at your published web
server but
not ISA.
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
<mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Tuesday, January 30, 2007 1:13 PM
Subject: [isalist] Re: Publishing in ISA2006
Here is the scenario:
- I remove all publishing rules and web listeners, so I
can start over.
- I go through the wizard to publish a single webserver.
I take all the defaults, saying no SSL is required.
- When it gets to the part about a web listener, I
create a new one, taking the default settings and specifying no SSL or
authentication is required.
- The rule is done; I apply the changes, and test it. I
get a 403 error.
- I edit the listener to redirect traffic to HTTPS, and
it works.
There must be something simple I missed...
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 11:48 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The rule works with the related listener.
You cannot evaluate one without including the other -
period.
The listener; not the rule is what determines if
HTTP/HTTPS redirection is possible.
If the listener doesn't accept HTTP, then it can't
redirect it to HTTPS.
You're not trying to publish a stealth service, are you?
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Ball, Dan
Sent: Monday, January 29, 2007 10:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Not Exchange traffic, but the main web server. They
both use the same listener, so it makes it difficult to modify one but
not the other. Once I got the webserver working, I was planning on
taking Tom's suggestion that he had awhile back and using a redirect
page to redirect OWA calls to an alternate port/listener.
In any case, in this particular instance I'm referring
to normal web traffic that I want in plain-text. Correct me if I'm
wrong, but I was under the assumption that if the publishing rule was
not working "non-SSL", then both the "authenticated traffic" and "all
traffic" options would behave the same way. I.e., they would both
return an error if the client wasn't capable of the connection.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 11:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
You never had ISA 2004 doing the redirects without
custom code.
It did not have this option.
Let's get this straight - you want to publish plain-text
Exchange web traffic?!?
Also; "Redirect authenticated traffic from HTTP to
HTTPS" option in the web listener. This works because it redirects all
web traffic to HTTPS" is incorrect; that setting only redirects traffic
which has already been authenticated - probably why only some requests
are working. Change it to redirect "ALL" requests.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Ball, Dan
Sent: Monday, January 29, 2007 8:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Nope, same server, and ISA_Redirects have never been
used on that server. I used to publish the website without requiring
SSL, now that is the only way I can get it to work. In fact, I used the
"connections" tab in the listener to force everything over to HTTPS,
just to get it working. I just can't figure out how to get it publish
"without" SSL, as there seem to be some browsers that have a problem
with that method. While I'd like to tell them to fix their own system
and get over it, that won't fly with a "public" website.
Where can I start looking for clues on this problem?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 9:29 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
That error response can only be obtained when web
publishing.
IIS response is quite different.
You probably were using the ISA_Redirects tool or
something similar and forgot to move it to the new server.
The good news is that in ISA 2006, such custom
mechanisms aren't required.
In the listener "Connections" tab, you can opt to
redirect anonymous or authenticated HTTP connections to HTTPS.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
<mailto:isalist-bounce@xxxxxxxxxxxxx%5d> On Behalf Of Roy Tsao
Sent: Monday, January 29, 2007 1:18 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Original publishing is SSL bridge or tunneling?
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
<mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Monday, January 29, 2007 10:40 AM
Subject: [isalist] Publishing in ISA2006
When I upgraded ISA2004 to ISA2006, my published
webserver and Exchange server no longer worked.
Browsing to the website gave me this error:
Error Code: 403 Forbidden. The page must be
viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the
server administrator. (12241)
Typing https:// into the URL allowed the traffic
to flow.
The only way I could get it to work was to
enable the "Redirect authenticated traffic from HTTP to HTTPS" option in
the web listener. This works because it redirects all web traffic to
HTTPS. However, it doesn't work for all pages, we have a few pages that
have problems, and have had reports from some people that cannot access
the website at all.
So, I need to get this working properly again.
I've deleted all of the publishing rules and the web listener several
times, recreating everything from scratch; it still gives me the same
error. I've followed every tutorial I could find, it appears that I'm
doing it correctly. There must be some little detail that I'm missing
with ISA2006. Probably something obvious, but it is eluding me...
Anyone have any ideas?
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
