[isapros] Re: Fw: Re: Web Filter with HTTPS

  • From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
  • To: <isapros@xxxxxxxxxxxxx>
  • Date: Wed, 20 Jun 2007 15:18:03 -0700

"You r-click the rule and select 'configure HTTP'".

Exactly. But you are not reading my question in its entirety. These points stand on their own:

1) The only way to allow outbound HTTPS that works is to uncheck "Web Filter" from the protocol definition of HTTPS. Tested, repeatable. 2) When I create the listener and select SSL, the only protocol that is selected for rule under Traffic (or protocol in the rule list) is HTTPS. 3) When you right click on the rule, you *cannot select "Configure HTTP" because it's not there.* It's not there because of point #1.

This speaks directly to posts from you guys where you say things like "to get RPC to work, you must configure the HTTP filter properties of the rule to allow RPC_DATA_IN and RPC_DATA_OUT. Logic dictates that if you are correct in that "binding" the Web Filter to HTTPS breaks outbound HTTPS, then one cannot possibly configure the HTTP filter properties for the rule when only using SSL.

I'm not overcomplicating- I saying something is poo poo here.

t



----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 3:03 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


You're overcomplicating it.

Web Publishing requires a web listener, and these are handled by the Web
Proxy filter.
You never "choose" the protocol for web publishing except that you
define the listening ports as "SSL" and "HTTP" (non-SSL).  In this way,
you merely advise the Web proxy filter which "side" of the listener
should handle SSL exchanges.
Regardless of which "side" of the listener accepts the traffic, only
HTTP is valid (SMTPS would fail).

Since the HTTP Filter is bound to the Web Proxy filter (as are all Web
Filters), HTTP Filter properties are built-in to any web publishing
rule.  You r-click the rule and select "configure HTTP".


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, June 20, 2007 2:52 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS

We're all pendants here ;)

Here is my specific question then:

I want to publish HTTPS ie OWA for RPC and HTTPS.  I obviously need to
configure the HTTP Filter properties.  If I have the Web Filter bound to

HTTPS (iow, selected in the available filters under the protocl config)
then
ALL outbound HTTPS traffic breaks.  Therefore, one has to un-bind the
Web
Filter from HTTPS for outbound to work (on this install).

Ergo, since the Web Filter is not bound to the HTTPS protocol (in order
for
outbound to work), there is no way to select "Configure HTTP" from the
properties of the web publishing rule.

FromwhenthouNowThinketh, WTF is the deal on what properties of the
filter
are applied?  See what I mean??

t

----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 2:31 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


Not to be pedantic, but the published traffic being handled by the web
proxy isn't "HTTPS", it's "HTTP inside SSL" and ISA handles each layer
separately.  By the time the web proxy is evaluating the HTTP traffic,
SSL is no longer a factor and it gets treated just like "plain old"
HTTP
traffic.

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, June 20, 2007 2:26 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS

Then how do you configure the HTTP filtering on web pub rules if the
Web

Filter is not bound to HTTPS?

t
----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 2:24 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS


Sorta..
if it's a web pub rule, then the web proxy is already involved and no
"protocol binding" is required.
If it's a server pub rule, then ISA is effectively blind to the
traffic
anyway.

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, June 20, 2007 2:05 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Fw: Re: Web Filter with HTTPS

OK, so you are saying that if I unbind the Web Filter from HTTPS, and
create
a pub rule for HTTPS, then the filter will still be used for the Pub
rule?

t


-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, June 20, 2007 5:43 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Web Filter with HTTPS

The web filter is the part that expects to watch the HTTP traffic as
it
flows through ISA.
With the exception of web publishing, HTTPS traffic is effectively
invisible to ISA and therefore any policies enacted via the web
filter
(think HTTP Filter, too) cannot be applied and ISA will default to
"when
in doubt, trash it" mode.

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, June 20, 2007 1:15 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Web Filter with HTTPS

Just a sanity check here... why would all HTTPS traffic fail if the
Web
Filter was bound to the HTTPS protocol?

t

All mail to and from this domain is GFI-scanned.




All mail to and from this domain is GFI-scanned.





All mail to and from this domain is GFI-scanned.





All mail to and from this domain is GFI-scanned.




Other related posts: