[isalist] Re: Publishing in ISA2006
- From: "Roy Tsao" <caohuiming@xxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Feb 2007 09:58:38 +0800
Re: [isalist] Re: Publishing in ISA2006What's the configuration of
"communication" under your publishing rule's property?
As Jim said, please check if "notify HTTP users to use HTTPS instead" is
checked or not.
----- Original Message -----
From: Ball, Dan
To: isalist@xxxxxxxxxxxxx
Sent: Thursday, February 01, 2007 6:52 AM
Subject: [isalist] Re: Publishing in ISA2006
Yep, which is why I don't want to do that.
------------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Wednesday, January 31, 2007 4:40 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
If you redirect HTTP traffic to HTTPS, then you've created an SSL Web
Publishing Rule.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
----------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Wednesday, January 31, 2007 1:35 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Not that I know of. I do not need SSL on that rule at all, and haven't
knowingly done that.
----------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thor (Hammer of God)
Sent: Wednesday, January 31, 2007 1:24 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
I've been swamped with another project, but are you sure you've not created
rules requiring client authentication over ssl from the outside? Are you just
trying to publish a site over SSL?
t
On 1/31/07 9:11 AM, "Ball, Dan" <DBall@xxxxxxxxxxx> spoketh to all:
I'm publishing two separate webservers right now and they are both having
the same problem, and both are reachable from the Intranet with no SSL
required.
----------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Roy Tsao
Sent: Wednesday, January 31, 2007 8:59 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
- You may create another test webserver
- Use your exising publishing rule to publish that new test site
I am still wondering the configuration at your web server side.
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Wednesday, January 31, 2007 8:57 PM
Subject: [isalist] Re: Publishing in ISA2006
Okay, I worked on it for quite awhile, cleaned up rules and removed
defined protocols that weren't in use anymore, and still get the error. I was
able to possibly identify the cause of the previous log though, and bring it
down to three log entries that occur every time I attempt to access the website
when the redirect to HTTPS is disabled.
Original Client IP Client Agent Authenticated Client
Service Server Name Referring Server Destination Host Name Transport
MIME Type Object Source Source Proxy Destination Proxy
Bidirectional Client Host Name Filter Information Network
Interface Raw IP Header Raw Payload GMT Log Time Source Port
Processing Time Bytes Sent Bytes Received Result
Code HTTP Status Code Cache Information Error
Information Log Record Type Authentication Server Log
Time Destination IP Destination Port Protocol Action
Rule Client IP Client Username Source Network
Destination Network HTTP Method URL
0.0.0.0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET
CLR 2.0.50727; .NET CLR 3.0.04506; MAPSIE; InfoPath.2; MAPSIE) Yes
Reverse Proxy GATEWAY www.mapsnet.org TCP
- - - Req ID:
13fae90a - - - 1/31/2007 3:18:58 AM 0
1 2293 392 12241 The page must be
viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server
administrator. 0x0 0x0 Web Proxy Filter
1/30/2007 10:18:58 PM 24.213.58.250 80 http Failed
Connection Attempt Web Server 75.128.225.6 anonymous
External GET http://www.mapsnet.org/
75.128.225.6 GATEWAY -
TCP -
- 1/31/2007 3:18:58
AM 51603 12000 644 2505 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
0x0 0x0 Firewall - 1/30/2007 10:18:58 PM
24.213.58.250 80 HTTP Closed Connection
75.128.225.6 External Local Host - -
75.128.225.6 GATEWAY -
TCP -
- 1/31/2007 3:18:58
AM 51604 0 0 0 0x0 ERROR_SUCCESS 0x0
0x0 Firewall - 1/30/2007 10:18:58 PM 24.213.58.250 80
HTTP Initiated Connection 75.128.225.6
External Local Host - -
--------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 1:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
No, that's the whole point; it's not supposed to authenticate incoming
connections! *grin*
Reviewing the logs further, I'm starting to get even more confused. The
"SERVERNAME" portion refers to my PDC, but the IP associated with it in each
request changes from my ISA server to the webserver. Initially, I was looking
at the webserver as a possible culprit, but the more I look at it I'm starting
to look at the ISA server instead.
I'll test it some more tonight if I can, disabling a couple of suspect
rules (and SurfControl) as a test to see if they might be the culprit.
--------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 1:05 PM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
You are authenticating incoming clients??
Against what?
S
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 11:15 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
Okay, now we're getting somewhere. I didn't see anything sticking out,
so I started looking for other events around the same timeframe. I ran across
several WEBDAV entries that repeated themselves about the same timeframe, AND
they contained the same text I saw in IE.
Original Client IP Client Agent Authenticated Client
Service Server Name Referring Server Destination Host Name Transport
MIME Type Object Source Source Proxy Destination Proxy
Bidirectional Client Host Name Filter Information Network
Interface Raw IP Header Raw Payload GMT Log Time Source Port
Processing Time Bytes Sent Bytes Received Result
Code HTTP Status Code Cache Information Error
Information Log Record Type Authentication Server Log
Time Destination IP Destination Port Protocol Action
Rule Client IP Client Username Source Network
Destination Network HTTP Method URL
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy
GATEWAY - SERVERNAME TCP -
Req ID: 13da6168
1/29/2007 2:33:07 AM 0 1 141 146
12241 The page must be viewed over a secure channel (Secure
Sockets Layer (SSL)). Contact the server administrator. 0x0
0x0 Web Proxy Filter - 1/28/2007 9:33:07 PM
24.213.58.250 80 http Failed Connection Attempt Web
Server 75.128.225.6 anonymous External -
OPTIONS http://SERVERNAME/
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy
GATEWAY - servername TCP - Internet
Req ID: 13da616a
1/29/2007 2:33:07 AM 0 16 430 146
200 0x40020000 0xc00 Web Proxy Filter -
1/28/2007 9:33:07 PM 10.20.1.4 80 https
Allowed Connection Web Server 75.128.225.6 anonymous
External - OPTIONS http://servername/
0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy
GATEWAY - SERVERNAME TCP -
Req ID: 13da616c
1/29/2007 2:33:07 AM 0 1 152 168
12241 The page must be viewed over a secure channel (Secure
Sockets Layer (SSL)). Contact the server administrator. 0x0
0x0 Web Proxy Filter - 1/28/2007 9:33:07 PM
24.213.58.250 80 http Failed Connection Attempt Web
Server 75.128.225.6 anonymous External -
PROPFIND http://SERVERNAME/Hiddenshare$ <http://technology/Technology$>
Looks like there is a request to my PDC every time, and it is being
blocked because it is an anonymous outbound connection on port 80. That
explains why I'm getting the errors, now to figure out why it is doing that.
--------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Tuesday, January 30, 2007 8:09 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
What do the ISA logs say??
S
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Tuesday, January 30, 2007 9:00 AM
To: ISA Mailing List
Subject: [isalist] Re: Publishing in ISA2006
Webserver is on internal network; no SSL required at the webserver itself
(Just tested it again to make sure).
--------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Roy Tsao
Sent: Tuesday, January 30, 2007 12:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The website you published is SSL required, so
- when you publish through HTTP connection, access is denied
- when you redirect to HTTPs by ISA, it works.
Then, you may need to check any changing at your published web server but
not ISA.
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Tuesday, January 30, 2007 1:13 PM
Subject: [isalist] Re: Publishing in ISA2006
Here is the scenario:
- I remove all publishing rules and web listeners, so I can start over.
- I go through the wizard to publish a single webserver. I take all
the defaults, saying no SSL is required.
- When it gets to the part about a web listener, I create a new one,
taking the default settings and specifying no SSL or authentication is required.
- The rule is done; I apply the changes, and test it. I get a 403
error.
- I edit the listener to redirect traffic to HTTPS, and it works.
There must be something simple I missed.
------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 11:48 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The rule works with the related listener.
You cannot evaluate one without including the other - period.
The listener; not the rule is what determines if HTTP/HTTPS redirection
is possible.
If the listener doesn't accept HTTP, then it can't redirect it to HTTPS.
You're not trying to publish a stealth service, are you?
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Monday, January 29, 2007 10:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Not Exchange traffic, but the main web server. They both use the same
listener, so it makes it difficult to modify one but not the other. Once I got
the webserver working, I was planning on taking Tom's suggestion that he had
awhile back and using a redirect page to redirect OWA calls to an alternate
port/listener.
In any case, in this particular instance I'm referring to normal web
traffic that I want in plain-text. Correct me if I'm wrong, but I was under
the assumption that if the publishing rule was not working "non-SSL", then both
the "authenticated traffic" and "all traffic" options would behave the same
way. I.e., they would both return an error if the client wasn't capable of the
connection.
------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 11:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
You never had ISA 2004 doing the redirects without custom code.
It did not have this option.
Let's get this straight - you want to publish plain-text Exchange web
traffic?!?
Also; "Redirect authenticated traffic from HTTP to HTTPS" option in the
web listener. This works because it redirects all web traffic to HTTPS" is
incorrect; that setting only redirects traffic which has already been
authenticated - probably why only some requests are working. Change it to
redirect "ALL" requests.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan
Sent: Monday, January 29, 2007 8:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Nope, same server, and ISA_Redirects have never been used on that
server. I used to publish the website without requiring SSL, now that is the
only way I can get it to work. In fact, I used the "connections" tab in the
listener to force everything over to HTTPS, just to get it working. I just
can't figure out how to get it publish "without" SSL, as there seem to be some
browsers that have a problem with that method. While I'd like to tell them to
fix their own system and get over it, that won't fly with a "public" website.
Where can I start looking for clues on this problem?
------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 9:29 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
That error response can only be obtained when web publishing.
IIS response is quite different.
You probably were using the ISA_Redirects tool or something similar and
forgot to move it to the new server.
The good news is that in ISA 2006, such custom mechanisms aren't
required.
In the listener "Connections" tab, you can opt to redirect anonymous or
authenticated HTTP connections to HTTPS.
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao
Sent: Monday, January 29, 2007 1:18 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Original publishing is SSL bridge or tunneling?
----- Original Message -----
From: Ball, Dan <mailto:DBall@xxxxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Sent: Monday, January 29, 2007 10:40 AM
Subject: [isalist] Publishing in ISA2006
When I upgraded ISA2004 to ISA2006, my published webserver and
Exchange server no longer worked.
Browsing to the website gave me this error:
Error Code: 403 Forbidden. The page must be viewed over a secure
channel (Secure Sockets Layer (SSL)). Contact the server administrator. (12241)
Typing https:// into the URL allowed the traffic to flow.
The only way I could get it to work was to enable the "Redirect
authenticated traffic from HTTP to HTTPS" option in the web listener. This
works because it redirects all web traffic to HTTPS. However, it doesn't work
for all pages, we have a few pages that have problems, and have had reports
from some people that cannot access the website at all.
So, I need to get this working properly again. I've deleted all of
the publishing rules and the web listener several times, recreating everything
from scratch; it still gives me the same error. I've followed every tutorial I
could find, it appears that I'm doing it correctly. There must be some little
detail that I'm missing with ISA2006. Probably something obvious, but it is
eluding me.
Anyone have any ideas?
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
