RE: UPS Worldship
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 20 Jan 2004 13:15:05 -0800
The fun part about SSL tunneling through ISA is that the web proxy service
really doesn't know what the connection state is.
The "64" and "995" entries you see are normal.
Unfortunately, these don't help you much, but that's what we have to work with.
The good part of this is that if you see the entries in the web proxy log, then
the app is making proxy requests.
Remove the proxy settings from the app, set the HTTP Redirector to "send to
requested.." or disable it and retry the connection.
Watch your web and fw logs; if it's still in the web proxy log, you're still
talking to the web proxy.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "Michael Weber" <mweber@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, January 20, 2004 12:52
Subject: [isalist] RE: UPS Worldship
http://www.ISAserver.org
The change to the HTTP redirector doesn't change anything. The same
error still occurs.
I guess I'm a little fuzzy on which type of connection is occurring with
the UPS software (and with IE). If I choose "Deny all" on the HTTP
redirector and add "*.ups.com" to the <don't use proxy> list of IE then
I shouldn't be able to get to http://www.ups.com or
https://www.uoss.ups.com. I successfully cannot get to
http://www.ups.com, but I can still access https://www.uoss.ups.com. Is
it because SSL is involved?
My misunderstanding, I think, is that in the UPS logs, whenever I have
the proxy enabled, I get a separate proxy CONNECT command to the ISA
server. However you seem to have the proxy server enabled in the UPS
client, and do not get a separate proxy CONNECT command to the ISA
server. So it seems like the HTTP redirector is not coming into play.
Are these two phenomena connected in any way?
And again, I'd like to thank you for all of your guidance.
Michael Weber
Director of Engineering
XT Racing
1065B Nine North Dr
Alpharetta, GA 30004
Phone: 770-992-3795
Fax: 678-990-7920
-----Original Message-----
From: Fares Rihani (Personal) [mailto:Fares@xxxxxxxxxx]
Sent: Tuesday, January 20, 2004 3:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: UPS Worldship
http://www.ISAserver.org
Michael,
Yes if the firewall client is intalled then the client is a firewall
client, likewise if a client has its gateway set to the internal ip of
the isa server then it is considered a secure NAT client. Ok, when you
configure the UPS worldship to use direct connection and set it to use a
proxy server, use the port specified as the outgoing web listener
(8080), NOT the port of a SOCKS filter (1080). This is only to force
the UPS client to connect as a firewall client.
You may want to test to see if the UPS Worldship IS compatible with the
web proxy service by changing the HTTP redirector option to "Redirect to
local Web Proxy service" with the unavailable redirect enabled.
Also, after changing settings restart the services.
Fares Rihani
-----Original Message-----
From: Michael Weber [mailto:mweber@xxxxxxxxxxxx]
Sent: Tuesday, January 20, 2004 1:50 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: UPS Worldship
http://www.ISAserver.org
Oh yes, I forgot one thing. Isn't a client defined a firewall client by
installing and enabling the firewall software?
-----Original Message-----
From: Michael Weber [mailto:mweber@xxxxxxxxxxxx]
Sent: Tuesday, January 20, 2004 1:43 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: UPS Worldship
http://www.ISAserver.org
The HTTP Redirector Filter is set to "send request to server."
The outgoing web requests has integrated authentication.
I'm confused now. If I tell Worldship to access the proxy server then
it will access the proxy server, not the firewall client, because I told
it to access the proxy server. So the HTTP redirector filter will not
be in play. Is that not right?
However, from your UPS log it seems that even though you have the proxy
server enabled in UPS, UPS is bypassing the proxy and using the firewall
client.
Yes -- I have seen that log when I'm not behind the ISA server (laptop
dial-up).
Michael Weber
Director of Engineering
XT Racing
1065B Nine North Dr
Alpharetta, GA 30004
Phone: 770-992-3795
Fax: 678-990-7920
-----Original Message-----
From: Fares Rihani (Personal) [mailto:Fares@xxxxxxxxxx]
Sent: Tuesday, January 20, 2004 1:15 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: UPS Worldship
http://www.ISAserver.org
I am getting unreliable connects to www.uoss.ups.com here as well. But
when a connect goes through all is smooth. I would check the HTTP
Redirector Filter settings (send request to server) and make sure the
client is secureNat or a Firewall client. Also, under Outgoing web
requests, is the listener set to Integrated authentication (or maybe try
enabling basic with domain "\")?
It just seems like your ssl request is not getting through. Here is a
successful http trace:
01/20/2004 Host IP address = (153.2.73.100)
01/20/2004 SSL Handshake successful.
01/20/2004 cipher = RC4-40, keySize = 128, secretKeySize = 40
subject = CN=www.uoss.ups.com, OU=Customer Automation, O=United
Parcel Service, L=Mahwah, ST=New Jersey, C=US
01/20/2004 Connection successful.
01/20/2004 Connect: Unlocked.
01/20/2004 Sending HTTP request...
Fares Rihani
-----Original Message-----
From: Michael Weber [mailto:mweber@xxxxxxxxxxxx]
Sent: Tuesday, January 20, 2004 12:52 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: UPS Worldship
http://www.ISAserver.org
I am running that version, and that is the article I followed.
The only other weird thing that is happening is that when I try to
access https://www.uoss.ups.com/ from IE I sometimes get a 403 error,
sometimes I get the login screen, and sometimes I get an internal UPS
website error ("A recursive error was detected"). It seems to me that I
should never get an error if I just try to access the site from a web
browser.
Michael Weber
-----Original Message-----
From: Fares Rihani (Personal) [mailto:Fares@xxxxxxxxxx]
Sent: Tuesday, January 20, 2004 12:36 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: UPS Worldship
http://www.ISAserver.org
Michael,
Make sure you are running the latest version. I have no problems running
under 5.0.37. I had connection problems before upgrading so it is worth
a shot.
Here is the article for direct connection that I used.
http://www.isaserver.org/tutorials/Configuring_Web_Proxy_Clients_for_Dir
ect_Access.html
Is that how you configured your setup?
Fares Rihani
-----Original Message-----
From: Michael Weber [mailto:mweber@xxxxxxxxxxxx]
Sent: Tuesday, January 20, 2004 12:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: UPS Worldship
http://www.ISAserver.org
I do have the direct connection in UPS enabled, and I have tried it with
a
proxy and without. With the proxy enabled, I still get the "Peer's
certificate has an invalid signature" error. It just occurs after a
connection to the proxy server is made. The entry in the web proxy ISA
log says that it made the connection; however, it returns a 64 error
code
(The specified network name is no longer available).
Michael Weber
192.168.0.26, anonymous, ICCTest_http/1.0, N, 1/20/2004, 12:02:26,
w3proxy, <server>, -, www.uoss.ups.com, 153.2.73.100, 443, 0, 52, 1752,
SSL-tunnel, TCP, -, www.uoss.ups.com:443, -, Inet, 64, 0x0, Internal
access, Allow rule
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mweber@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
