That should say: "When you unbind the Web Proxy Filter from the HTTP protocol......." whopps. Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Wednesday, June 20, 2007 7:37 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS No, you need to configure the HTTP Security Filter, and in order to configured the HTTP Security Filter, the Web Proxy Filter must be enabled. Its always enabled for Web listeners It can unbound from the HTTP protocol, in which case the configuration interface for the HTTP Security Filter disappears, but you configuration changes remain intact. When you unbind the Web proxy filter from the HTTPS protocol, no Web caching or filtering is done for Firewall clients or SecureNAT clients. Web proxy clients are always exposed to the Web proxy filter, even if you unbind it from the HTTP protocol. How's that? Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young Sent: Wednesday, June 20, 2007 5:06 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS If you're just publishing OWA and an RPC proxy over HTTPS, isn't any filter configuration automatically handled by ISA when running the Publish Mail Server wizard? As I understood it, ISA knows that stuff inherently; no configuration necessary. Cordially yours, Jerry G. Young II ++ Sent from BlackBerry ++ Application Engineer Platform Engineering and Architecture NTT America, an NTT Communications Company 22451 Shaw Rd. Sterling, VA 20166 Office: 571-434-1319 Fax: 703-333-6749 Email: g.young@xxxxxxxx -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx <isapros-bounce@xxxxxxxxxxxxx> To: isapros@xxxxxxxxxxxxx <isapros@xxxxxxxxxxxxx> Sent: Wed Jun 20 17:52:18 2007 Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS We're all pendants here ;) Here is my specific question then: I want to publish HTTPS ie OWA for RPC and HTTPS. I obviously need to configure the HTTP Filter properties. If I have the Web Filter bound to HTTPS (iow, selected in the available filters under the protocl config) then ALL outbound HTTPS traffic breaks. Therefore, one has to un-bind the Web Filter from HTTPS for outbound to work (on this install). Ergo, since the Web Filter is not bound to the HTTPS protocol (in order for outbound to work), there is no way to select "Configure HTTP" from the properties of the web publishing rule. FromwhenthouNowThinketh, WTF is the deal on what properties of the filter are applied? See what I mean?? t ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: <isapros@xxxxxxxxxxxxx> Sent: Wednesday, June 20, 2007 2:31 PM Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > Not to be pedantic, but the published traffic being handled by the web > proxy isn't "HTTPS", it's "HTTP inside SSL" and ISA handles each layer > separately. By the time the web proxy is evaluating the HTTP traffic, > SSL is no longer a factor and it gets treated just like "plain old" HTTP > traffic. > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thor (Hammer of God) > Sent: Wednesday, June 20, 2007 2:26 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > > Then how do you configure the HTTP filtering on web pub rules if the Web > > Filter is not bound to HTTPS? > > t > ----- Original Message ----- > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > To: <isapros@xxxxxxxxxxxxx> > Sent: Wednesday, June 20, 2007 2:24 PM > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > > >> Sorta.. >> if it's a web pub rule, then the web proxy is already involved and no >> "protocol binding" is required. >> If it's a server pub rule, then ISA is effectively blind to the > traffic >> anyway. >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Thor (Hammer of God) >> Sent: Wednesday, June 20, 2007 2:05 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Fw: Re: Web Filter with HTTPS >> >> OK, so you are saying that if I unbind the Web Filter from HTTPS, and >> create >> a pub rule for HTTPS, then the filter will still be used for the Pub >> rule? >> >> t >> >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Jim Harrison >> Sent: Wednesday, June 20, 2007 5:43 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Web Filter with HTTPS >> >> The web filter is the part that expects to watch the HTTP traffic as > it >> flows through ISA. >> With the exception of web publishing, HTTPS traffic is effectively >> invisible to ISA and therefore any policies enacted via the web filter >> (think HTTP Filter, too) cannot be applied and ISA will default to > "when >> in doubt, trash it" mode. >> >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] >> On Behalf Of Thor (Hammer of God) >> Sent: Wednesday, June 20, 2007 1:15 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Web Filter with HTTPS >> >> Just a sanity check here... why would all HTTPS traffic fail if the > Web >> Filter was bound to the HTTPS protocol? >> >> t >> >> All mail to and from this domain is GFI-scanned. >> >> >> >> >> All mail to and from this domain is GFI-scanned. >> >> > > > > All mail to and from this domain is GFI-scanned. > >