"..and the horses, they go round and round..." MCIL... -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Wednesday, June 20, 2007 5:23 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS Sorry all-- I had to complete building a crate for a rack system I'm shipping out... back to the grind: CIL ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: <isapros@xxxxxxxxxxxxx> Sent: Wednesday, June 20, 2007 3:48 PM Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > Actually, I am, but the answers I provide are sliding around you.... > CIL... > > [Jim] - the only reason a "protocol" is listed is for the "silly human > operating the machine". Regardless of whether the listener accepts > encrapted or plain-text traffic, HTTP is the only protocol supported by > a web listener. But that protocol is either HTTP or HTTPS. [Jim] - no; the "protocol" displayed is just for the "stopidhuman"; ISA deals with them both the same except for the SSSL session required for HTTPS. Do this, applying changes as necessary: 1) right click on HTTP in Protocols. In "Parameters" ensure "Web Filter" is checked in "Application Filters." 2) right click on HTTPS in Protocols. In "Parameters" ensure "Web Filter" is NOT checked in "Application Filters." 3) Create listeners for HTTP and for SSL (80 and 443) respectively. 4) Create web publishing rules for each listener, one for HTTP, one for HTTPS 5) Right-click on the HTTP pub rule- you can select "Configure HTTP" 6) Right-click on the HTTPS pub rule- you *can not* select "Configure HTTP" 7) Go back HTTPS Protocol, and now check "Web Filter" in "Application Filters" 8) Right-click on the HTTPS pub rule- you can now select "Configure HTTP" [Jim] - your machine is bursted - I do not see this behavior at all. > > 3) When you right click on the rule, you *cannot select "Configure HTTP" > > because it's not there.* It's not there because of point #1. > [Jim] - I just tested this on my ISA server and I have this option. Are > you sure you're not r-clicking the listener itself? Wanna gimme TS to > your machine (offline o'course)? Sure. The whole point is that something is janked up with the Web Filter and HTTPS. [jim] - nope - something is off for your server. Gimme TS. > [Jim] - again; comparing access rules to web publishing rules is a good > way to lose that mane of yours. This loginc is false because it ignores > the mechanisms involved. BTW, defining RPC_x_DATA in the HTP Filter > doesn't "enable" RPC/HTTP, it only serves to restrict the HTTP methods > that are accepted by the web publishing rule. But you can't do that if "Web Filter" is not checked in the HTTPS protocol. That's the whole point. [Jim] - can2; can2; so there. > > I'm not overcomplicating- I saying something is poo poo here. > [Jim] - agreed, but I'm leaning towards PICNIC... So, bottom line is that you probably have Web Filter bound to HTTPS, and your HTTPS outbound *still works*. [Jim] - nope; that can't work. That is the first thing I asked for folks to verify. If you have to clear "Web Filter" for HTTS outbound to work, then by definition of the protocol, you cannot have HTTP filters, which depend upon the Web Filter "application filter" to work, for inbound HTTPS rules. t All mail to and from this domain is GFI-scanned.