[isalist] Re: Publishing in ISA2006
- From: "Roy Tsao" <caohuiming@xxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 30 Jan 2007 13:39:49 +0800
The website you published is SSL required, so
- when you publish through HTTP connection, access is denied
- when you redirect to HTTPs by ISA, it works.
Then, you may need to check any changing at your published web server but
not ISA.
----- Original Message -----
From: Ball, Dan
To: isalist@xxxxxxxxxxxxx
Sent: Tuesday, January 30, 2007 1:13 PM
Subject: [isalist] Re: Publishing in ISA2006
Here is the scenario:
- I remove all publishing rules and web listeners, so I can start over.
- I go through the wizard to publish a single webserver. I take all the
defaults, saying no SSL is required.
- When it gets to the part about a web listener, I create a new one, taking
the default settings and specifying no SSL or authentication is required.
- The rule is done; I apply the changes, and test it. I get a 403 error.
- I edit the listener to redirect traffic to HTTPS, and it works.
There must be something simple I missed.
------------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 11:48 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The rule works with the related listener.
You cannot evaluate one without including the other - period.
The listener; not the rule is what determines if HTTP/HTTPS redirection is
possible.
If the listener doesn't accept HTTP, then it can't redirect it to HTTPS.
You're not trying to publish a stealth service, are you?
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Monday, January 29, 2007 10:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Not Exchange traffic, but the main web server. They both use the same
listener, so it makes it difficult to modify one but not the other. Once I got
the webserver working, I was planning on taking Tom's suggestion that he had
awhile back and using a redirect page to redirect OWA calls to an alternate
port/listener.
In any case, in this particular instance I'm referring to normal web traffic
that I want in plain-text. Correct me if I'm wrong, but I was under the
assumption that if the publishing rule was not working "non-SSL", then both the
"authenticated traffic" and "all traffic" options would behave the same way.
I.e., they would both return an error if the client wasn't capable of the
connection.
------------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 11:57 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
You never had ISA 2004 doing the redirects without custom code.
It did not have this option.
Let's get this straight - you want to publish plain-text Exchange web
traffic?!?
Also; "Redirect authenticated traffic from HTTP to HTTPS" option in the web
listener. This works because it redirects all web traffic to HTTPS" is
incorrect; that setting only redirects traffic which has already been
authenticated - probably why only some requests are working. Change it to
redirect "ALL" requests.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Monday, January 29, 2007 8:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Nope, same server, and ISA_Redirects have never been used on that server. I
used to publish the website without requiring SSL, now that is the only way I
can get it to work. In fact, I used the "connections" tab in the listener to
force everything over to HTTPS, just to get it working. I just can't figure
out how to get it publish "without" SSL, as there seem to be some browsers that
have a problem with that method. While I'd like to tell them to fix their own
system and get over it, that won't fly with a "public" website.
Where can I start looking for clues on this problem?
------------------------------------------------------------------------------
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, January 29, 2007 9:29 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
That error response can only be obtained when web publishing.
IIS response is quite different.
You probably were using the ISA_Redirects tool or something similar and
forgot to move it to the new server.
The good news is that in ISA 2006, such custom mechanisms aren't required.
In the listener "Connections" tab, you can opt to redirect anonymous or
authenticated HTTP connections to HTTPS.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Roy Tsao
Sent: Monday, January 29, 2007 1:18 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Original publishing is SSL bridge or tunneling?
----- Original Message -----
From: Ball, Dan
To: isalist@xxxxxxxxxxxxx
Sent: Monday, January 29, 2007 10:40 AM
Subject: [isalist] Publishing in ISA2006
When I upgraded ISA2004 to ISA2006, my published webserver and Exchange
server no longer worked.
Browsing to the website gave me this error:
Error Code: 403 Forbidden. The page must be viewed over a secure channel
(Secure Sockets Layer (SSL)). Contact the server administrator. (12241)
Typing https:// into the URL allowed the traffic to flow.
The only way I could get it to work was to enable the "Redirect
authenticated traffic from HTTP to HTTPS" option in the web listener. This
works because it redirects all web traffic to HTTPS. However, it doesn't work
for all pages, we have a few pages that have problems, and have had reports
from some people that cannot access the website at all.
So, I need to get this working properly again. I've deleted all of the
publishing rules and the web listener several times, recreating everything from
scratch; it still gives me the same error. I've followed every tutorial I
could find, it appears that I'm doing it correctly. There must be some little
detail that I'm missing with ISA2006. Probably something obvious, but it is
eluding me.
Anyone have any ideas?
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
All mail to and from this domain is GFI-scanned.
Other related posts:
