Man, you are a true sadist! I lost count of how many hours I spent to get RainConnect and SurfControl working, and you want me to start over? Ack! Actually, if I can't figure it out, I might have to resort to a nuke and pave route... Hope not though... ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Wednesday, January 31, 2007 9:12 PM To: ISA Mailing List Subject: [isalist] Re: Publishing in ISA2006 This is a vanilla install of ISA? No 3rd party addons? Surfcontrol I seem to remember is your fav...:-) Uninstall Surfcontrol, delete your rules and listeners and start from scratch just by publishing the standard website. and see if it works... From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Wednesday, January 31, 2007 10:01 PM To: ISA Mailing List Subject: [isalist] Re: Publishing in ISA2006 You are correct, that is not what I want. But, whenever I disable the redirect users get a 403 forbidden error. I'd be happy to disable all SSL on the listener, but for some reason it won't work without it. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, January 31, 2007 6:20 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 You can't have it both ways - either you want SSL publishing or you don't. If you configure the rule to "redirect HTTP to HTTPS", then you force the users to connect using HTTPS, which you say you don't want. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Wednesday, January 31, 2007 11:39 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Please excuse my poor description; it is a difficult problem to describe. To summarize, I do NOT want to redirect ANY traffic on this rule to HTTPS, but have "had" to do that because it won't work without it. I wasn't ignoring your clues; they were just describing what I already had done as a "patch" to get it working. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, January 31, 2007 12:41 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Clues have been provided and ignored. If you want ISA to redirect HTTP to HTTPS, then you have three choices: 1. Configure this at the listener - of course, you have to allow HTTP at the listener for this to work and this only works for ISA 2006 2. Create a "deny" rule that uses a redirect URL for any HTTP connections - of course, this means you have to allow HTTP at the related listener 3. Use a custom "redirector" such as ISA_Redirects.zip or other If all you do is configure the publishing rule to "notify HTTP users to use HTTPS instead", you get the behavior you've been describing all along and is indicated in the logs. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Wednesday, January 31, 2007 9:12 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 I'm publishing two separate webservers right now and they are both having the same problem, and both are reachable from the Intranet with no SSL required. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Wednesday, January 31, 2007 8:59 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 - You may create another test webserver - Use your exising publishing rule to publish that new test site I am still wondering the configuration at your web server side. ----- Original Message ----- From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Wednesday, January 31, 2007 8:57 PM Subject: [isalist] Re: Publishing in ISA2006 Okay, I worked on it for quite awhile, cleaned up rules and removed defined protocols that weren't in use anymore, and still get the error... I was able to possibly identify the cause of the previous log though, and bring it down to three log entries that occur every time I attempt to access the website when the redirect to HTTPS is disabled. Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 0.0.0.0 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; MAPSIE; InfoPath.2; MAPSIE) Yes Reverse Proxy GATEWAY www.mapsnet.org TCP - - - Req ID: 13fae90a - - - 1/31/2007 3:18:58 AM 0 1 2293 392 12241 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. 0x0 0x0 Web Proxy Filter 1/30/2007 10:18:58 PM 24.213.58.250 80 http Failed Connection Attempt Web Server 75.128.225.6 anonymous External GET http://www.mapsnet.org/ 75.128.225.6 GATEWAY - TCP - - 1/31/2007 3:18:58 AM 51603 12000 644 2505 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN 0x0 0x0 Firewall - 1/30/2007 10:18:58 PM 24.213.58.250 80 HTTP Closed Connection 75.128.225.6 External Local Host - - 75.128.225.6 GATEWAY - TCP - - 1/31/2007 3:18:58 AM 51604 0 0 0 0x0 ERROR_SUCCESS 0x0 0x0 Firewall - 1/30/2007 10:18:58 PM 24.213.58.250 80 HTTP Initiated Connection 75.128.225.6 External Local Host - - ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, January 30, 2007 1:20 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 No, that's the whole point; it's not supposed to authenticate incoming connections! *grin* Reviewing the logs further, I'm starting to get even more confused... The "SERVERNAME" portion refers to my PDC, but the IP associated with it in each request changes from my ISA server to the webserver. Initially, I was looking at the webserver as a possible culprit, but the more I look at it I'm starting to look at the ISA server instead. I'll test it some more tonight if I can, disabling a couple of suspect rules (and SurfControl) as a test to see if they might be the culprit. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Tuesday, January 30, 2007 1:05 PM To: ISA Mailing List Subject: [isalist] Re: Publishing in ISA2006 You are authenticating incoming clients?? Against what? S From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, January 30, 2007 11:15 AM To: ISA Mailing List Subject: [isalist] Re: Publishing in ISA2006 Okay, now we're getting somewhere... I didn't see anything sticking out, so I started looking for other events around the same timeframe. I ran across several WEBDAV entries that repeated themselves about the same timeframe, AND they contained the same text I saw in IE... Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy GATEWAY - SERVERNAME TCP - Req ID: 13da6168 1/29/2007 2:33:07 AM 0 1 141 146 12241 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. 0x0 0x0 Web Proxy Filter - 1/28/2007 9:33:07 PM 24.213.58.250 80 http Failed Connection Attempt Web Server 75.128.225.6 anonymous External - OPTIONS http://SERVERNAME/ 0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy GATEWAY - servername TCP - Internet Req ID: 13da616a 1/29/2007 2:33:07 AM 0 16 430 146 200 0x40020000 0xc00 Web Proxy Filter - 1/28/2007 9:33:07 PM 10.20.1.4 80 https Allowed Connection Web Server 75.128.225.6 anonymous External - OPTIONS http://servername/ 0.0.0.0 Microsoft-WebDAV-MiniRedir/6.0.6000 Reverse Proxy GATEWAY - SERVERNAME TCP - Req ID: 13da616c 1/29/2007 2:33:07 AM 0 1 152 168 12241 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. 0x0 0x0 Web Proxy Filter - 1/28/2007 9:33:07 PM 24.213.58.250 80 http Failed Connection Attempt Web Server 75.128.225.6 anonymous External - PROPFIND http://SERVERNAME/Hiddenshare$ <http://technology/Technology$> Looks like there is a request to my PDC every time, and it is being blocked because it is an anonymous outbound connection on port 80. That explains why I'm getting the errors, now to figure out why it is doing that. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Tuesday, January 30, 2007 8:09 AM To: ISA Mailing List Subject: [isalist] Re: Publishing in ISA2006 What do the ISA logs say?? S From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Tuesday, January 30, 2007 9:00 AM To: ISA Mailing List Subject: [isalist] Re: Publishing in ISA2006 Webserver is on internal network; no SSL required at the webserver itself (Just tested it again to make sure). ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Tuesday, January 30, 2007 12:40 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 The website you published is SSL required, so - when you publish through HTTP connection, access is denied - when you redirect to HTTPs by ISA, it works. Then, you may need to check any changing at your published web server but not ISA. ----- Original Message ----- From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Tuesday, January 30, 2007 1:13 PM Subject: [isalist] Re: Publishing in ISA2006 Here is the scenario: - I remove all publishing rules and web listeners, so I can start over. - I go through the wizard to publish a single webserver. I take all the defaults, saying no SSL is required. - When it gets to the part about a web listener, I create a new one, taking the default settings and specifying no SSL or authentication is required. - The rule is done; I apply the changes, and test it. I get a 403 error. - I edit the listener to redirect traffic to HTTPS, and it works. There must be something simple I missed... ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, January 29, 2007 11:48 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 The rule works with the related listener. You cannot evaluate one without including the other - period. The listener; not the rule is what determines if HTTP/HTTPS redirection is possible. If the listener doesn't accept HTTP, then it can't redirect it to HTTPS. You're not trying to publish a stealth service, are you? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Monday, January 29, 2007 10:51 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Not Exchange traffic, but the main web server. They both use the same listener, so it makes it difficult to modify one but not the other. Once I got the webserver working, I was planning on taking Tom's suggestion that he had awhile back and using a redirect page to redirect OWA calls to an alternate port/listener. In any case, in this particular instance I'm referring to normal web traffic that I want in plain-text. Correct me if I'm wrong, but I was under the assumption that if the publishing rule was not working "non-SSL", then both the "authenticated traffic" and "all traffic" options would behave the same way. I.e., they would both return an error if the client wasn't capable of the connection. ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, January 29, 2007 11:57 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 You never had ISA 2004 doing the redirects without custom code. It did not have this option. Let's get this straight - you want to publish plain-text Exchange web traffic?!? Also; "Redirect authenticated traffic from HTTP to HTTPS" option in the web listener. This works because it redirects all web traffic to HTTPS" is incorrect; that setting only redirects traffic which has already been authenticated - probably why only some requests are working. Change it to redirect "ALL" requests. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ball, Dan Sent: Monday, January 29, 2007 8:04 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Nope, same server, and ISA_Redirects have never been used on that server. I used to publish the website without requiring SSL, now that is the only way I can get it to work. In fact, I used the "connections" tab in the listener to force everything over to HTTPS, just to get it working. I just can't figure out how to get it publish "without" SSL, as there seem to be some browsers that have a problem with that method. While I'd like to tell them to fix their own system and get over it, that won't fly with a "public" website. Where can I start looking for clues on this problem? ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, January 29, 2007 9:29 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 That error response can only be obtained when web publishing. IIS response is quite different. You probably were using the ISA_Redirects tool or something similar and forgot to move it to the new server. The good news is that in ISA 2006, such custom mechanisms aren't required. In the listener "Connections" tab, you can opt to redirect anonymous or authenticated HTTP connections to HTTPS. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Monday, January 29, 2007 1:18 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Publishing in ISA2006 Original publishing is SSL bridge or tunneling? ----- Original Message ----- From: Ball, Dan <mailto:DBall@xxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Monday, January 29, 2007 10:40 AM Subject: [isalist] Publishing in ISA2006 When I upgraded ISA2004 to ISA2006, my published webserver and Exchange server no longer worked. Browsing to the website gave me this error: Error Code: 403 Forbidden. The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator. (12241) Typing https:// into the URL allowed the traffic to flow. The only way I could get it to work was to enable the "Redirect authenticated traffic from HTTP to HTTPS" option in the web listener. This works because it redirects all web traffic to HTTPS. However, it doesn't work for all pages, we have a few pages that have problems, and have had reports from some people that cannot access the website at all. So, I need to get this working properly again. I've deleted all of the publishing rules and the web listener several times, recreating everything from scratch; it still gives me the same error. I've followed every tutorial I could find, it appears that I'm doing it correctly. There must be some little detail that I'm missing with ISA2006. Probably something obvious, but it is eluding me... Anyone have any ideas? All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned. All mail to and from this domain is GFI-scanned.