Actually, Windows handles this, and you configured Windows for to limit the ciphers, but the end result is the same From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Friday, March 27, 2009 6:16 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Where does Port 443 go? I see now.... ISA is handshaking with the Client, so that is why I needed to configure ISA to only allow certain handshakes, as it were... Thank you! Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.jpg@01C9AEA5.727F9310] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Thursday, March 26, 2009 8:48 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Where does Port 443 go? The cert warning is generated by the client; not ISA and this happens before the client issues the HTTP request. Once the client finishes the SSL handshake, it can issue an HTTP request, and ISA will (must) process it. ISA will then respond according to how you configured it. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Thursday, March 26, 2009 7:25 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Where does Port 443 go? Ok, this makes more sense. ISA is handling the requests before it passes it on to our Exchange server. What I meant by getting "in" is that if there was nothing listening to port 443 on that IP, nothing would process the request. However, with ISA and Web Listeners, If the URL wasn't being matched, why would the cert warning come up - shouldn't it just be refused (403)? But it appears that is not the case. Once 443 is used, ISA will process a request no matter what the URL is requested. If there were different Certs for different URLs on the same IP, I wonder which Cert it would use (i.e. a different Cert for Webmail versus Activesync)? The Port Scanner is checking the SSL handshakes, cipher strengths, etc. You can check out a website here: http://www.serversniff.net/content.php?do=ssl. After making the registry changes on ISA, I was able to see only the proper SSL and cipher strengths I needed. I think we will pass PCI compliance now. Sorry to not be deeply technical here, I'm just trying to process this in language I can understand. Thanks for all the help and patience. Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.jpg@01C9AEA5.727F9310] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, March 25, 2009 7:23 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Where does Port 443 go? You're not getting "in" and "accessing 443" is as close as you can get to irrelevant for this question. need to understand: 1. exactly what the scan is doing 2. exactly what "regedits" you wrought and what you based them on Here's what has to happen for your scenario (somewhat summarized): Client --> ISA: connect to TCP:443 Client --> ISA: SSL "ClientHello" message ISA --> Client: SSL "ServerHello" message *including the server certificate* Client : validate server certificate - *this is where you get "invalid certificate" errors* Client --> ISA: complete SSL handshake Client --> ISA: GET /abs_path?querystring HTTP/1.x ("host" header includes hostname from URL) ISA : compare "host" header to "public names"; send 403 FOAD response if fails to match JimmyJoeBobAlooba ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau [scomeau@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, March 25, 2009 3:00 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Where does Port 443 go? So what is letting me "in" initially to get the Cert warning? I am assuming ISA, and I assume it is the listener(s), but is there an ISA IIS replying to the 443 request? I assume that there's got to be some security tightening for SSL on ISA to not allow V2 (or other weak Ciphers for that matter). Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.jpg@01C9AEA5.727F9310] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Wednesday, March 25, 2009 5:49 PM To: ISA Mailing List Subject: [isalist] Re: Where does Port 443 go? That would be the 403...from ISA not IIS From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Wednesday, March 25, 2009 6:20 PM To: ISA Mailing List Subject: [isalist] Re: Where does Port 443 go? No /*. If I https with the IP, I get the Cert warning (self signed cert so I get a warning). If I go past the warning, I get the 403 Forbidden error. What is letting me into the IP without a URL name? Shouldn't ISA refuse the connection altogether (no cert warning) if I don't use the URL for webmail or ActiveSync access? Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.jpg@01C9AEA5.727F9310] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Wednesday, March 25, 2009 4:51 PM To: ISA Mailing List Subject: [isalist] Re: Where does Port 443 go? ISA has no vulnerabilities unless you have configured it wrong. You don't have a /* in your publishing rule do you? It;s likely your scanner..... From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Wednesday, March 25, 2009 4:30 PM To: ISA Mailing List Subject: [isalist] Where does Port 443 go? We have our ISA 2006 Server setup for webmail & ActiveSync to our Exchange 2007 server using a Listener. However, when we do a vulnerability scan for PCI compliance, the IP for this listener on the ISA server is coming up with an SSL V2 vulnerability. Now, I have done all the stuff (regedits) I need to do on the Exchange 2007 server to disable SSL V2, but I am still coming up with a vulnerability on a scan. Could it be that when accessing Port 443 on the IP in question, the request is forwarded somewhere else when the Webmail/Activesync URL (mailserver.domain.com/owa) is not specified (i.e. not to the Exchange Server but the ISA IIS Server?). I don't see anywhere else where Port 443 could be forwarded. Any suggestions? Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.jpg@01C9AEA5.727F9310] *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com ***