Hi Michael, http://news.zdnet.co.uk/internet/security/0,39020375,39118994,00.htm HTH, Tom -----Original Message----- From: Michael Weber [mailto:mweber@xxxxxxxxxxxx] Sent: Wednesday, January 21, 2004 9:14 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: UPS Worldship http://www.ISAserver.org I'm not aware of the Verisign intermd CA problem. Could you please explain, or give me some information about how to correct the problem? I am not using DSL PPPoE, and the 403 problems from the web browser don't seem to be a problem. It should work even with those responses (from IE). Michael Weber Director of Engineering XT Racing 1065B Nine North Dr Alpharetta, GA 30004 Phone: 770-992-3795 Fax: 678-990-7920 -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, January 20, 2004 7:09 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: UPS Worldship http://www.ISAserver.org Hi Michael, You're correct that Direct Access is probably required. Could you be dealing with the Verisign intermd CA problem? Thanks! Tom From: Michael Weber [mailto:mweber@xxxxxxxxxxxx] Sent: Tuesday, January 20, 2004 10:39 AM To: [ISAserver.org Discussion List] Subject: [isalist] UPS Worldship http://www.ISAserver.org Hi all, I know that this has been reviewed before; however, I still cannot connect with the UPS Worldship software through my ISA Server. I'm not an expert on ISA but I think I have set up everything correctly for the software to have direct access to www.uoss.ups.com. And when I examine the ISA logs I don't get an entry in the web proxy file, and I do get one in the Firewall log. The firewall log file and the ups trace file are given below, hopefully, somebody can see something that will help me out. I have connected successfully with Worldship on a computer without ISA. The only difference in the log files is that I don't get the "Peer's certificate has an invalid signature" error on the SSL_ForceHandshake, and everything connects correctly. My only guess is that ISA is still somehow messing with the SSL certificate, but I don't know why. Thanks, Michael Weber mweber@xxxxxxxxxxxx --------------------------------- FIREWALL log --------------------------------- 192.168.0.26, <user>, getHostIP.exe:3:5.1, N, 1/20/2004, 11:21:23, fwsrv, XTSERVER, -, www.uoss.ups.com, 153.2.72.100, 0, -, 0, 0, -, -, GHBN, -, -, -, 0, 0, -, Allow rule, 39, 0 192.168.0.26, <user>, ShipUps.exe:3:5.1, N, 1/20/2004, 11:21:23, fwsrv, XTSERVER, -, -, 153.2.72.100, 443, 31, 0, 0, 443, TCP, Connect, -, -, -, 0, 0, Internal access, Allow rule, 31, 109 192.168.0.26, <user>, ShipUps.exe:3:5.1, N, 1/20/2004, 11:21:23, fwsrv, XTSERVER, -, -, 153.2.72.100, 443, 94, 52, 1752, 443, TCP, Connect, -, -, -, 20000, 0, Internal access, Allow rule, 31, 109 --------------------------------- UPS log --------------------------------- Transact Version 2.0.12.0 NSS 2.7.1 Thread 1764 01/20/2004 11:15:34.944 appMsgId=TNT_REQ clientType=1 nPort=443 dwFlags=1 01/20/2004 11:15:34.944 reqInfoLen=251 reqAppDataLen=0 rcvTimeout=120, SndTimeout=30,DNSTimeout=5 01/20/2004 11:15:34.944 Connect: locked. 01/20/2004 11:15:34.944 Socket SetUp entered. 01/20/2004 11:15:34.944 Initializing NSS. 01/20/2004 11:15:34.944 Verifying security databases located at C:\WINDOWS\System32. 01/20/2004 11:15:34.991 SSL_ClearSessionCache completed. 01/20/2004 11:15:34.991 Connecting to : www.uoss.ups.com at port 443 01/20/2004 11:15:34.991 certdir = (C:\WINDOWS\System32) 01/20/2004 11:15:34.991 pszCommandLine = (www.uoss.ups.com 443 C:\WINDOWS\System32 99 GetHostIP1764.dat) ; pszImageModule = (C:\WINDOWS\System32/getHostIP.exe). 01/20/2004 11:15:35.412 Process getHostIP Successfully. 01/20/2004 11:15:35.412 PR_GetHostByName() succeed. 01/20/2004 11:15:35.412 Host IP address = (153.2.72.100) 01/20/2004 11:15:35.553 Error in function SSL_ForceHandshake: -8182 - Peer's certificate has an invalid signature. 01/20/2004 11:15:35.553 Connect: Unlocked. 01/20/2004 11:15:35.553 Total Elapsed Time=640,Time to process transaction=0,Time to resolve HOST IP =421,Time to make connection to HOST=484,Time to make handsake=78,Time to send HTTP request=0,Time to wait for HOST response=0,Time to receiving response message=0 01/20/2004 11:15:35.553 Transact API exited with return code 610, status code 3010. Elapsed time = 0:01 ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: mweber@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')