[isapros] Re: Fw: Re: Web Filter with HTTPS
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 20 Jun 2007 17:46:02 -0700
"..and the horses, they go round and round..."
MCIL...
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, June 20, 2007 5:23 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
Sorry all-- I had to complete building a crate for a rack system I'm
shipping out...
back to the grind:
CIL
----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 3:48 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> Actually, I am, but the answers I provide are sliding around you....
> CIL...
>
> [Jim] - the only reason a "protocol" is listed is for the "silly human
> operating the machine". Regardless of whether the listener accepts
> encrapted or plain-text traffic, HTTP is the only protocol supported
by
> a web listener.
But that protocol is either HTTP or HTTPS.
[Jim] - no; the "protocol" displayed is just for the "stopidhuman"; ISA
deals with them both the same except for the SSSL session required for
HTTPS.
Do this, applying changes as
necessary:
1) right click on HTTP in Protocols. In "Parameters" ensure "Web
Filter" is
checked in "Application Filters."
2) right click on HTTPS in Protocols. In "Parameters" ensure "Web
Filter"
is NOT checked in "Application Filters."
3) Create listeners for HTTP and for SSL (80 and 443) respectively.
4) Create web publishing rules for each listener, one for HTTP, one for
HTTPS
5) Right-click on the HTTP pub rule- you can select "Configure HTTP"
6) Right-click on the HTTPS pub rule- you *can not* select "Configure
HTTP"
7) Go back HTTPS Protocol, and now check "Web Filter" in "Application
Filters"
8) Right-click on the HTTPS pub rule- you can now select "Configure
HTTP"
[Jim] - your machine is bursted - I do not see this behavior at all.
>
> 3) When you right click on the rule, you *cannot select "Configure
HTTP"
>
> because it's not there.* It's not there because of point #1.
> [Jim] - I just tested this on my ISA server and I have this option.
Are
> you sure you're not r-clicking the listener itself? Wanna gimme TS to
> your machine (offline o'course)?
Sure. The whole point is that something is janked up with the Web
Filter
and HTTPS.
[jim] - nope - something is off for your server. Gimme TS.
> [Jim] - again; comparing access rules to web publishing rules is a
good
> way to lose that mane of yours. This loginc is false because it
ignores
> the mechanisms involved. BTW, defining RPC_x_DATA in the HTP Filter
> doesn't "enable" RPC/HTTP, it only serves to restrict the HTTP methods
> that are accepted by the web publishing rule.
But you can't do that if "Web Filter" is not checked in the HTTPS
protocol.
That's the whole point.
[Jim] - can2; can2; so there.
>
> I'm not overcomplicating- I saying something is poo poo here.
> [Jim] - agreed, but I'm leaning towards PICNIC...
So, bottom line is that you probably have Web Filter bound to HTTPS,
and your HTTPS outbound *still works*.
[Jim] - nope; that can't work.
That is the first thing I asked for
folks to verify. If you have to clear "Web Filter" for HTTS outbound to
work, then by definition of the protocol, you cannot have HTTP filters,
which depend upon the Web Filter "application filter" to work, for
inbound
HTTPS rules.
t
All mail to and from this domain is GFI-scanned.
Other related posts:
