You're not getting "in" and "accessing 443" is as close as you can get to irrelevant for this question. need to understand: 1. exactly what the scan is doing 2. exactly what "regedits" you wrought and what you based them on Here's what has to happen for your scenario (somewhat summarized): Client --> ISA: connect to TCP:443 Client --> ISA: SSL "ClientHello" message ISA --> Client: SSL "ServerHello" message *including the server certificate* Client : validate server certificate - *this is where you get "invalid certificate" errors* Client --> ISA: complete SSL handshake Client --> ISA: GET /abs_path?querystring HTTP/1.x ("host" header includes hostname from URL) ISA : compare "host" header to "public names"; send 403 FOAD response if fails to match JimmyJoeBobAlooba ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau [scomeau@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, March 25, 2009 3:00 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Where does Port 443 go? So what is letting me “in” initially to get the Cert warning? I am assuming ISA, and I assume it is the listener(s), but is there an ISA IIS replying to the 443 request? I assume that there’s got to be some security tightening for SSL on ISA to not allow V2 (or other weak Ciphers for that matter). Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.jpg@01C9AD73.A0C418A0] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Wednesday, March 25, 2009 5:49 PM To: ISA Mailing List Subject: [isalist] Re: Where does Port 443 go? That would be the 403...from ISA not IIS From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Wednesday, March 25, 2009 6:20 PM To: ISA Mailing List Subject: [isalist] Re: Where does Port 443 go? No /*. If I https with the IP, I get the Cert warning (self signed cert so I get a warning). If I go past the warning, I get the 403 Forbidden error. What is letting me into the IP without a URL name? Shouldn’t ISA refuse the connection altogether (no cert warning) if I don’t use the URL for webmail or ActiveSync access? Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.jpg@01C9AD73.A0C418A0] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steve Moffat Sent: Wednesday, March 25, 2009 4:51 PM To: ISA Mailing List Subject: [isalist] Re: Where does Port 443 go? ISA has no vulnerabilities unless you have configured it wrong. You don't have a /* in your publishing rule do you? It;s likely your scanner..... From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Wednesday, March 25, 2009 4:30 PM To: ISA Mailing List Subject: [isalist] Where does Port 443 go? We have our ISA 2006 Server setup for webmail & ActiveSync to our Exchange 2007 server using a Listener. However, when we do a vulnerability scan for PCI compliance, the IP for this listener on the ISA server is coming up with an SSL V2 vulnerability. Now, I have done all the stuff (regedits) I need to do on the Exchange 2007 server to disable SSL V2, but I am still coming up with a vulnerability on a scan. Could it be that when accessing Port 443 on the IP in question, the request is forwarded somewhere else when the Webmail/Activesync URL (mailserver.domain.com/owa) is not specified (i.e. not to the Exchange Server but the ISA IIS Server?). I don’t see anywhere else where Port 443 could be forwarded. Any suggestions? Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image001.jpg@01C9AD73.A0C418A0] *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com *** *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com ***