[isapros] Re: Fw: Re: Web Filter with HTTPS
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 20 Jun 2007 15:48:00 -0700
Actually, I am, but the answers I provide are sliding around you....
CIL...
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, June 20, 2007 3:18 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
"You r-click the rule and select 'configure HTTP'".
Exactly. But you are not reading my question in its entirety. These
points
stand on their own:
1) The only way to allow outbound HTTPS that works is to uncheck "Web
Filter" from the protocol definition of HTTPS. Tested, repeatable.
[Jim] - This is non-functional for the reasons I outlined below. ISA
can't "see" HTTP traffic through an access rule which handles HTTPS, so
you can't configure HTTP filtering. If you attempt to bind a filter to
an encrypted protocol, you're creating a failure state.
2) When I create the listener and select SSL, the only protocol that is
selected for rule under Traffic (or protocol in the rule list) is HTTPS.
[Jim] - the only reason a "protocol" is listed is for the "silly human
operating the machine". Regardless of whether the listener accepts
encrapted or plain-text traffic, HTTP is the only protocol supported by
a web listener.
3) When you right click on the rule, you *cannot select "Configure HTTP"
because it's not there.* It's not there because of point #1.
[Jim] - I just tested this on my ISA server and I have this option. Are
you sure you're not r-clicking the listener itself? Wanna gimme TS to
your machine (offline o'course)?
This speaks directly to posts from you guys where you say things like
"to
get RPC to work, you must configure the HTTP filter properties of the
rule
to allow RPC_DATA_IN and RPC_DATA_OUT. Logic dictates that if you are
correct in that "binding" the Web Filter to HTTPS breaks outbound HTTPS,
then one cannot possibly configure the HTTP filter properties for the
rule
when only using SSL.
[Jim] - again; comparing access rules to web publishing rules is a good
way to lose that mane of yours. This loginc is false because it ignores
the mechanisms involved. BTW, defining RPC_x_DATA in the HTP Filter
doesn't "enable" RPC/HTTP, it only serves to restrict the HTTP methods
that are accepted by the web publishing rule.
I'm not overcomplicating- I saying something is poo poo here.
[Jim] - agreed, but I'm leaning towards PICNIC...
t
----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 3:03 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> You're overcomplicating it.
>
> Web Publishing requires a web listener, and these are handled by the
Web
> Proxy filter.
> You never "choose" the protocol for web publishing except that you
> define the listening ports as "SSL" and "HTTP" (non-SSL). In this
way,
> you merely advise the Web proxy filter which "side" of the listener
> should handle SSL exchanges.
> Regardless of which "side" of the listener accepts the traffic, only
> HTTP is valid (SMTPS would fail).
>
> Since the HTTP Filter is bound to the Web Proxy filter (as are all Web
> Filters), HTTP Filter properties are built-in to any web publishing
> rule. You r-click the rule and select "configure HTTP".
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, June 20, 2007 2:52 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
> We're all pendants here ;)
>
> Here is my specific question then:
>
> I want to publish HTTPS ie OWA for RPC and HTTPS. I obviously need to
> configure the HTTP Filter properties. If I have the Web Filter bound
to
>
> HTTPS (iow, selected in the available filters under the protocl
config)
> then
> ALL outbound HTTPS traffic breaks. Therefore, one has to un-bind the
> Web
> Filter from HTTPS for outbound to work (on this install).
>
> Ergo, since the Web Filter is not bound to the HTTPS protocol (in
order
> for
> outbound to work), there is no way to select "Configure HTTP" from the
> properties of the web publishing rule.
>
> FromwhenthouNowThinketh, WTF is the deal on what properties of the
> filter
> are applied? See what I mean??
>
> t
>
> ----- Original Message -----
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: <isapros@xxxxxxxxxxxxx>
> Sent: Wednesday, June 20, 2007 2:31 PM
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
>
>> Not to be pedantic, but the published traffic being handled by the
web
>> proxy isn't "HTTPS", it's "HTTP inside SSL" and ISA handles each
layer
>> separately. By the time the web proxy is evaluating the HTTP
traffic,
>> SSL is no longer a factor and it gets treated just like "plain old"
> HTTP
>> traffic.
>>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, June 20, 2007 2:26 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>>
>> Then how do you configure the HTTP filtering on web pub rules if the
> Web
>>
>> Filter is not bound to HTTPS?
>>
>> t
>> ----- Original Message -----
>> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
>> To: <isapros@xxxxxxxxxxxxx>
>> Sent: Wednesday, June 20, 2007 2:24 PM
>> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>>
>>
>>> Sorta..
>>> if it's a web pub rule, then the web proxy is already involved and
no
>>> "protocol binding" is required.
>>> If it's a server pub rule, then ISA is effectively blind to the
>> traffic
>>> anyway.
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Thor (Hammer of God)
>>> Sent: Wednesday, June 20, 2007 2:05 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Fw: Re: Web Filter with HTTPS
>>>
>>> OK, so you are saying that if I unbind the Web Filter from HTTPS,
and
>>> create
>>> a pub rule for HTTPS, then the filter will still be used for the Pub
>>> rule?
>>>
>>> t
>>>
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Jim Harrison
>>> Sent: Wednesday, June 20, 2007 5:43 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Re: Web Filter with HTTPS
>>>
>>> The web filter is the part that expects to watch the HTTP traffic as
>> it
>>> flows through ISA.
>>> With the exception of web publishing, HTTPS traffic is effectively
>>> invisible to ISA and therefore any policies enacted via the web
> filter
>>> (think HTTP Filter, too) cannot be applied and ISA will default to
>> "when
>>> in doubt, trash it" mode.
>>>
>>> -----Original Message-----
>>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>>> On Behalf Of Thor (Hammer of God)
>>> Sent: Wednesday, June 20, 2007 1:15 PM
>>> To: isapros@xxxxxxxxxxxxx
>>> Subject: [isapros] Web Filter with HTTPS
>>>
>>> Just a sanity check here... why would all HTTPS traffic fail if the
>> Web
>>> Filter was bound to the HTTPS protocol?
>>>
>>> t
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>>
>>>
>>>
>>> All mail to and from this domain is GFI-scanned.
>>>
>>>
>>
>>
>>
>> All mail to and from this domain is GFI-scanned.
>>
>>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
All mail to and from this domain is GFI-scanned.
Other related posts:
