[isalist] Re: Where does Port 443 go?

  • From: Steven Comeau <scomeau@xxxxxxxxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 27 Mar 2009 09:32:29 -0400

Thanks for the clarification....  I think my rickety bridge of understanding 
now has all the floorboards.

Steve Comeau
Associate Director of IT
Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image001.jpg@01C9AEBE.F262F2C0]





From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Friday, March 27, 2009 9:30 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Where does Port 443 go?

Actually, Windows handles this, and you configured Windows for to limit the 
ciphers, but  the end result is the same

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Friday, March 27, 2009 6:16 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Where does Port 443 go?

I see now....  ISA is handshaking with the Client, so that is why I needed to 
configure ISA to only allow certain handshakes, as it were...

Thank you!

Steve Comeau
Associate Director of IT
Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image001.jpg@01C9AEBE.F262F2C0]



From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Thursday, March 26, 2009 8:48 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Where does Port 443 go?

The cert warning is generated by the client; not ISA and this happens before 
the client issues the HTTP request.
Once the client finishes the SSL handshake, it can issue an HTTP request, and 
ISA will (must) process it.
ISA will then respond according to how you configured it.

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Thursday, March 26, 2009 7:25 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Where does Port 443 go?

Ok, this makes more sense.  ISA is handling the requests before it passes it on 
to our Exchange server.  What I meant by getting "in" is that if there was 
nothing listening to port 443 on that IP, nothing would process the request.  
However, with ISA and Web Listeners, If the URL wasn't being matched, why would 
the cert warning come up - shouldn't it just be refused (403)?  But it appears 
that is not the case. Once 443 is used, ISA will process a request no matter 
what the URL is requested.  If there were different Certs for different URLs on 
the same IP, I wonder which Cert it would use (i.e. a different Cert for 
Webmail versus Activesync)?

The Port Scanner is checking the SSL handshakes, cipher strengths, etc.  You 
can check out a website here: http://www.serversniff.net/content.php?do=ssl.  
After making the registry changes on ISA, I was able to see only the proper SSL 
and cipher strengths I needed.  I think we will pass PCI compliance now.

Sorry to not be deeply technical here, I'm just trying to process this in 
language I can understand.  Thanks for all the help and patience.

Steve Comeau
Associate Director of IT
Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image001.jpg@01C9AEBE.F262F2C0]


 From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Wednesday, March 25, 2009 7:23 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Where does Port 443 go?

You're not getting "in" and "accessing 443" is as close as you can get to 
irrelevant for this question.
need to understand:
1. exactly what the scan is doing
2. exactly what "regedits" you wrought and what you based them on

Here's what has to happen for your scenario (somewhat summarized):

Client --> ISA: connect to TCP:443
Client --> ISA: SSL "ClientHello" message
ISA --> Client: SSL "ServerHello" message *including the server certificate*
Client            : validate server certificate - *this is where you get 
"invalid certificate" errors*
Client --> ISA: complete SSL handshake
Client --> ISA: GET /abs_path?querystring HTTP/1.x ("host" header includes 
hostname from URL)
ISA               : compare "host" header to "public names"; send 403 FOAD 
response if fails to match

JimmyJoeBobAlooba
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of 
Steven Comeau [scomeau@xxxxxxxxxxxxxxxxxx]
Sent: Wednesday, March 25, 2009 3:00 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Where does Port 443 go?
So what is letting me "in" initially to get the Cert warning?  I am assuming 
ISA, and I assume it is the listener(s), but is there an ISA IIS replying to 
the 443 request?  I assume that there's got to be some security tightening for 
SSL on ISA to not allow V2 (or other weak Ciphers for that matter).

Steve Comeau
Associate Director of IT
Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image001.jpg@01C9AEBE.F262F2C0]


 From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steve Moffat
Sent: Wednesday, March 25, 2009 5:49 PM
To: ISA Mailing List
Subject: [isalist] Re: Where does Port 443 go?

That would be the 403...from ISA not IIS

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Wednesday, March 25, 2009 6:20 PM
To: ISA Mailing List
Subject: [isalist] Re: Where does Port 443 go?

No /*.

If I https with the IP, I get the Cert warning (self signed cert so I get a 
warning).  If I go past the warning, I get the 403 Forbidden error.  What is 
letting me into the IP without a URL name?  Shouldn't ISA refuse the connection 
altogether (no cert warning) if I don't use the URL for webmail or ActiveSync 
access?

Steve Comeau
Associate Director of IT
Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image001.jpg@01C9AEBE.F262F2C0]

  From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steve Moffat
Sent: Wednesday, March 25, 2009 4:51 PM
To: ISA Mailing List
Subject: [isalist] Re: Where does Port 443 go?

ISA has no vulnerabilities unless you have configured it wrong. You don't have 
a /* in your publishing rule do you?

It;s likely your scanner.....

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steven Comeau
Sent: Wednesday, March 25, 2009 4:30 PM
To: ISA Mailing List
Subject: [isalist] Where does Port 443 go?

We have our ISA 2006 Server setup for webmail & ActiveSync to our Exchange 2007 
server using a Listener.  However, when we do a vulnerability scan for PCI 
compliance, the IP for this listener on the ISA server is coming up with an SSL 
V2 vulnerability.  Now, I have done all the stuff (regedits) I need to do on 
the Exchange 2007 server to disable SSL V2, but I am still coming up with a 
vulnerability on a scan.

Could it be that when accessing Port 443 on the IP in question, the request is 
forwarded somewhere else when the Webmail/Activesync URL 
(mailserver.domain.com/owa) is not specified (i.e. not to the Exchange Server 
but the ISA IIS Server?).  I don't see anywhere else where Port 443 could be 
forwarded.  Any suggestions?

Steve Comeau
Associate Director of IT
Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ  08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com<http://www.scarletknights.com>


[cid:image001.jpg@01C9AEBE.F262F2C0]






***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is

intended only for the individual named. If you are not the

named addressee, you should not disseminate, distribute or

copy this e-mail. Please notify the sender immediately by

e-mail if you have received this e-mail by mistake and delete

this e-mail from your system. E-mail transmission cannot be

guaranteed to be secure or error-free as information could be

intercepted, corrupted, lost, destroyed, arrive late or

incomplete, or contain viruses.  The sender therefore does not

accept liability for any errors or omissions in the contents of

this message, which arise as a result of e-mail transmission.

If verification is required please request a hard-copy version.

Rutgers University - DIA

83 Rockafeller Road

Piscataway, NJ 08854

www.scarletknights.com ***



***  This message contains confidential information and is
intended only for the individual named. If you are not the
named addressee, you should not disseminate, distribute or
copy this e-mail. Please notify the sender immediately by
e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be 
intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses.  The sender therefore does not
accept liability for any errors or omissions in the contents of
this message, which arise as a result of e-mail transmission.
If verification is required please request a hard-copy version.
Rutgers University - DIA
83 Rockafeller Road
Piscataway, NJ 08854
www.scarletknights.com *** 

JPEG image

Other related posts: