RE: SSL problem

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 29 Nov 2004 12:06:04 -0800

You appear to have changed the ISA policies prior to gathering the
ISAInfo, as none of them require SSL and the site now behaves
"normally".

You also have another problem.
NEVER make Microsoft-owned bits available from your web site.
Please relocate them to some non-publicly-available place on your file
server.

All of the web sites are using the same listener (OWA), which is
configured to listen on all external IPs.  You should change this to be
IP-specific.  No need to listen on IPs that shouldn't handle traffic.
Ideally, you want to split the OWA from the "public" rules, as OWA
*should* be SSL-limited.

From the looks of your ipconfig data, you're sitting behind some NAT
"router".  Based on some judicious nslookups, it also appears that you
have a single IP address for your sites.
If this is the case, you'll find it difficult to satisfy the need for
securing the OWA site against the "public" sites.

As a final piece of advice, lose the "Unrestricted Internet access"
rule.
Since it exists and is listed first, your ISA will allow anything that
wants to pass to the Internet.
Based on this policy entry alone, I'd be tempted to blacklist your IP.

All outbound rules should be either user/group- or client-IP-based or
(ideally) both.
There is NO need for an "allow all" rule on your production ISA server;
ever.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 
-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, November 29, 2004 10:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL problem

http://www.ISAserver.org

Hi Jim,

I tried to attach the info file to my previous message but since there
is a 97k limit it didn't go through. Anyhow I put it up on
www.leathalproductions.com/temp so simply right click and select "save
as". SSL is turned off for the time being on that site.

Also just to let you know someone else setup ISA 2004, personally I have
been thinking of redoing it from scratch because it looks messy to me.
(shrug)

Regards,
Andrew

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Monday, November 29, 2004 1:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: SSL problem

http://www.ISAserver.org

First, this doesn't happen for the whole site, just specific URLs.
This indicates that you have multiple web publishing rules for this
site, at least one of which is requiring SSL-only connections.

For instance:
https://www.leathalproductions.com/crash/knee/kneepics.htm produces the
HTTPS-only response from your ISA, but modifying the URL to use HTTPS
only results in a 10060 error, indicating that your ISA is not listening
on TCP-443.

Network Access Message: The page cannot be displayed 
 
Technical Information (for Support personnel) 
Error Code: 504 Proxy Timeout. The connection timed out. For more
information about this event, see ISA Server Help. (10060) 
IP Address: 66.11.182.215 
Date: 11/29/2004 5:55:27 PM 

Without seeing the details of your web publishing rules, it's impossible
to say where exactly the problem is, but I'll bet Steve's next bad joke
that at least one of your web publishing rules is requiring SSL and you
failed to properly create an SSL listener.

If you're willing to provide your ISAInfo
(http://isatools.org/isainfo/isainfo.zip), we can better direct you.

  Jim Harrison
  MCP(NT4, W2K), A+, Network+, PCG
  http://isaserver.org/Jim_Harrison/
  http://isatools.org
  Read the help / books / articles!
 
 
-----Original Message-----
From: Andrew English [mailto:andrew@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Monday, November 29, 2004 9:21 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] SSL problem

http://www.ISAserver.org

I am having problem with ISA 2004 and SSL. I have installed and tested
on my local LAN which doesn't proxy through ISA 2004 my SSL cert on
www.leathalproductions.com which locally I am told this page is SSL and
requires https:// to access it. However when I access the same site from
the outside ISA seems to be translating it to HTTP which has left me
totally baffled!?

Andrew



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
andrew@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » SSL problem
• » RE: SSL problem
• » RE: SSL problem
• » SSL problem
• » RE: SSL problem
• » RE: SSL problem
• » RE: SSL problem
• » RE: SSL problem
• » RE: SSL problem
• » RE: SSL problem

1. Home
2. isalist
3. Archive
4. 11-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---