RES: Re: RES: Re: RES: Re: Channel WebProxy

• From: "Alex Decarli" <alex@xxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 8 Nov 2002 09:13:35 -0200

exactly,
But the bank didn't describe the real problem.
Only sent-me a picture with the ISA Changes to software work.

See:

There's a aplication called WEBTA of Bradesco's Bank in Brazil that's installed 
on local Machine.
The user uses this aplication that access the banks website 
http://officebanking.bradesco.com.br.
There, the user uses a SSL site and when he opens the session , it order for a 
local certificate,
 he appoints to local certificate and the software begin to negotiate with the 
servers bank.

On this moment, the negotiation only use SSL and HTTP. I see it on ISA webproxy 
log. All connections status are allowed.
But the certificate isn't negotiated. And the software show-me timeout.

I've a workstation that's out of lan , directly on internet (no behind a 
firewall). The user uses it to connect on bank, then it work well.

The technical department of bank, says-me that with the ISA Server and WebTA to 
work together, ISA needs to be changed to:

1. "Send to requested Web Server"
2. Client firewall should be installed on local machine
3. Create a protocol rule with HTTP, HTTPS AND FTP DOWNLOAD ONLY.

with this scenario, it work. But i don't agree with they. 
This settings aren't good..

Alex




-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: quinta-feira, 7 de novembro de 2002 20:46
Para: [ISAserver.org Discussion List]
Assunto: [isalist] Re: RES: Re: RES: Re: Channel WebProxy


http://www.ISAserver.org


Negotiation of the client certificate through the web proxy service is 
irrelevant.
Port 443 is the standard port for SSL, but it doesn't depend on the Web Proxy 
service, nor does it mean that they're actually using it for SSL communications.
SecureNAT and Firewall clients can also use port 443 if an appropriate protocol 
rule is in place.

You  haven't described the actual problem that causes your bank to define your 
ISA setup.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://isaserver.org/pages/author_index.asp?aut=3
 http://isatools.org
 Read the help / books / articles!

----- Original Message ----- 
From: Alex Decarli 
To: [ISAserver.org Discussion List] 
Sent: Thursday, November 07, 2002 10:07 AM
Subject: [isalist] RES: Re: RES: Re: Channel WebProxy


http://www.ISAserver.org


I agree about array.
But 443 port is used by WEBBased clients, am I right ?
So, HTTP redirector aftect they.

My doubt is the negotiation of client certificate (in this particular case) is 
made throught
webproxy service. If I set the firewall client, can I to do a directly 
negotiation with the server bank ?
-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: quinta-feira, 7 de novembro de 2002 15:53
Para: [ISAserver.org Discussion List]
Assunto: [isalist] Re: RES: Re: Channel WebProxy


http://www.ISAserver.org


The solution is only useful if you have more than one server in the ISA Array.
How many servers are you using?
The application filter they vaguely refer to is the HTTP redirector and the 
setting will only apply to SecureNAT and Firewall clients.
As long as the remainder of your LAT hosts are Web Proxy clients, this setting 
will not affect them.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://isaserver.org/pages/author_index.asp?aut=3
 http://isatools.org
 Read the help / books / articles!

----- Original Message ----- 
From: Alex Decarli 
To: [ISAserver.org Discussion List] 
Sent: Thursday, November 07, 2002 7:40 AM
Subject: [isalist] RES: Re: Channel WebProxy


http://www.ISAserver.org


Web log show-me connection allowed on 443 port.
there's no log entries with deny.

A relevant data is it's negociate a certificate with the Bank Server.
-----Mensagem original-----
De: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Enviada em: quinta-feira, 7 de novembro de 2002 13:39
Para: [ISAserver.org Discussion List]
Assunto: [isalist] Re: Channel WebProxy


http://www.ISAserver.org


Take a look in the web logs; it'll tell you if the SSL connection is using a 
port other than 443.
If so then you'll need to add another SSL tunnel port range for the ISA.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://isaserver.org/pages/author_index.asp?aut=3
 http://isatools.org
 Read the help / books / articles!

----- Original Message ----- 
From: Alex Decarli 
To: [ISAserver.org Discussion List] 
Sent: Monday, November 04, 2002 10:43 AM
Subject: [isalist] Channel WebProxy


http://www.ISAserver.org


Hi folks,


I've a exclusive client that need to run a specific aplication of a Brazilian 
Bank that does not allow a channel with the ISA WebProxy Service.
The solution that the Bank gave-me was:  Send to requested Web Server in 
aplication filter to the access work properlly and install the firewall client.

But , if I do it, all network clients will complain of Internet performance. 
Because the web cache not will be make.
I need only allow the this specified client run internet SSL page and this 
Socket application software without WebProxy Channel. How can I to do this ?


Alex Decarli

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
alex@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
alex@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
alex@xxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts:

• » RES: Re: RES: Re: RES: Re: Channel WebProxy
• » Re: RES: Re: RES: Re: RES: Re: Channel WebProxy

1. Home
2. isalist
3. Archive
4. 11-2002

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---