exactly, But the bank didn't describe the real problem. Only sent-me a picture with the ISA Changes to software work. See: There's a aplication called WEBTA of Bradesco's Bank in Brazil that's installed on local Machine. The user uses this aplication that access the banks website http://officebanking.bradesco.com.br. There, the user uses a SSL site and when he opens the session , it order for a local certificate, he appoints to local certificate and the software begin to negotiate with the servers bank. On this moment, the negotiation only use SSL and HTTP. I see it on ISA webproxy log. All connections status are allowed. But the certificate isn't negotiated. And the software show-me timeout. I've a workstation that's out of lan , directly on internet (no behind a firewall). The user uses it to connect on bank, then it work well. The technical department of bank, says-me that with the ISA Server and WebTA to work together, ISA needs to be changed to: 1. "Send to requested Web Server" 2. Client firewall should be installed on local machine 3. Create a protocol rule with HTTP, HTTPS AND FTP DOWNLOAD ONLY. with this scenario, it work. But i don't agree with they. This settings aren't good.. Alex -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: quinta-feira, 7 de novembro de 2002 20:46 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: RES: Re: RES: Re: Channel WebProxy http://www.ISAserver.org Negotiation of the client certificate through the web proxy service is irrelevant. Port 443 is the standard port for SSL, but it doesn't depend on the Web Proxy service, nor does it mean that they're actually using it for SSL communications. SecureNAT and Firewall clients can also use port 443 if an appropriate protocol rule is in place. You haven't described the actual problem that causes your bank to define your ISA setup. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Thursday, November 07, 2002 10:07 AM Subject: [isalist] RES: Re: RES: Re: Channel WebProxy http://www.ISAserver.org I agree about array. But 443 port is used by WEBBased clients, am I right ? So, HTTP redirector aftect they. My doubt is the negotiation of client certificate (in this particular case) is made throught webproxy service. If I set the firewall client, can I to do a directly negotiation with the server bank ? -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: quinta-feira, 7 de novembro de 2002 15:53 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: RES: Re: Channel WebProxy http://www.ISAserver.org The solution is only useful if you have more than one server in the ISA Array. How many servers are you using? The application filter they vaguely refer to is the HTTP redirector and the setting will only apply to SecureNAT and Firewall clients. As long as the remainder of your LAT hosts are Web Proxy clients, this setting will not affect them. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Thursday, November 07, 2002 7:40 AM Subject: [isalist] RES: Re: Channel WebProxy http://www.ISAserver.org Web log show-me connection allowed on 443 port. there's no log entries with deny. A relevant data is it's negociate a certificate with the Bank Server. -----Mensagem original----- De: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Enviada em: quinta-feira, 7 de novembro de 2002 13:39 Para: [ISAserver.org Discussion List] Assunto: [isalist] Re: Channel WebProxy http://www.ISAserver.org Take a look in the web logs; it'll tell you if the SSL connection is using a port other than 443. If so then you'll need to add another SSL tunnel port range for the ISA. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/pages/author_index.asp?aut=3 http://isatools.org Read the help / books / articles! ----- Original Message ----- From: Alex Decarli To: [ISAserver.org Discussion List] Sent: Monday, November 04, 2002 10:43 AM Subject: [isalist] Channel WebProxy http://www.ISAserver.org Hi folks, I've a exclusive client that need to run a specific aplication of a Brazilian Bank that does not allow a channel with the ISA WebProxy Service. The solution that the Bank gave-me was: Send to requested Web Server in aplication filter to the access work properlly and install the firewall client. But , if I do it, all network clients will complain of Internet performance. Because the web cache not will be make. I need only allow the this specified client run internet SSL page and this Socket application software without WebProxy Channel. How can I to do this ? Alex Decarli ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: alex@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: alex@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: alex@xxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')