[isapros] Re: Fw: Re: Web Filter with HTTPS
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 20 Jun 2007 17:52:21 -0700
No.
Yes.
Maybe.
The HTTPS protocol handles traffic destined for "port 443". This
protocol definition is applied to SecureNET and FWC traffic *only*.
CERN proxy client requests are handled by the Web Proxy Filter, which
natively understands HTTP and FTP as well as how to handle SSL tunnels
for HTTP. It *does not* use the protocol HTTP/HTTPS definitions.
If you bind the Web Proxy Filter to a non-cleartext HTTP protocol or any
non-HTTP protocol, the Web Proxy filter will poop loudly in your
Cheerios.
As far as your inability to "configure HTTP" in your web publisihing
rules, I'd still like a TS to your machine. - something is very much
amiss.
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Wednesday, June 20, 2007 5:46 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
Bottom line on this - tell me:
If you have "Web Filter" bound to HTTPS, can you make outbound HTTPS
connections?
That's really the whole question. On the network we're seeing this on,
you cannot make outbound HTTPS connections if "Web Filter" is bound to
HTTPS. Let's start off in a simple manner, and see if that point is
true or not in your config please...
t
----- Original Message -----
From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>
To: isapros@xxxxxxxxxxxxx
Sent: Wednesday, June 20, 2007 5:41 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
That should say:
"When you unbind the Web Proxy Filter from the HTTP
protocol......."
whopps.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
Sent: Wednesday, June 20, 2007 7:37 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
No, you need to configure the HTTP Security Filter, and
in order to configured the HTTP Security Filter, the Web Proxy Filter
must be enabled.
Its always enabled for Web listeners
It can unbound from the HTTP protocol, in which case the
configuration interface for the HTTP Security Filter disappears, but you
configuration changes remain intact.
When you unbind the Web proxy filter from the HTTPS
protocol, no Web caching or filtering is done for Firewall clients or
SecureNAT clients.
Web proxy clients are always exposed to the Web proxy
filter, even if you unbind it from the HTTP protocol.
How's that?
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
<http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
Sent: Wednesday, June 20, 2007 5:06 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with
HTTPS
If you're just publishing OWA and an RPC proxy
over HTTPS, isn't any filter configuration automatically handled by ISA
when running the Publish Mail Server wizard? As I understood it, ISA
knows that stuff inherently; no configuration necessary.
Cordially yours,
Jerry G. Young II ++ Sent from BlackBerry ++
Application Engineer
Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
<isapros-bounce@xxxxxxxxxxxxx>
To: isapros@xxxxxxxxxxxxx
<isapros@xxxxxxxxxxxxx>
Sent: Wed Jun 20 17:52:18 2007
Subject: [isapros] Re: Fw: Re: Web Filter with
HTTPS
We're all pendants here ;)
Here is my specific question then:
I want to publish HTTPS ie OWA for RPC and
HTTPS. I obviously need to
configure the HTTP Filter properties. If I have
the Web Filter bound to
HTTPS (iow, selected in the available filters
under the protocl config) then
ALL outbound HTTPS traffic breaks. Therefore,
one has to un-bind the Web
Filter from HTTPS for outbound to work (on this
install).
Ergo, since the Web Filter is not bound to the
HTTPS protocol (in order for
outbound to work), there is no way to select
"Configure HTTP" from the
properties of the web publishing rule.
FromwhenthouNowThinketh, WTF is the deal on what
properties of the filter
are applied? See what I mean??
t
----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 2:31 PM
Subject: [isapros] Re: Fw: Re: Web Filter with
HTTPS
> Not to be pedantic, but the published traffic
being handled by the web
> proxy isn't "HTTPS", it's "HTTP inside SSL"
and ISA handles each layer
> separately. By the time the web proxy is
evaluating the HTTP traffic,
> SSL is no longer a factor and it gets treated
just like "plain old" HTTP
> traffic.
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, June 20, 2007 2:26 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with
HTTPS
>
> Then how do you configure the HTTP filtering
on web pub rules if the Web
>
> Filter is not bound to HTTPS?
>
> t
> ----- Original Message -----
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: <isapros@xxxxxxxxxxxxx>
> Sent: Wednesday, June 20, 2007 2:24 PM
> Subject: [isapros] Re: Fw: Re: Web Filter with
HTTPS
>
>
>> Sorta..
>> if it's a web pub rule, then the web proxy is
already involved and no
>> "protocol binding" is required.
>> If it's a server pub rule, then ISA is
effectively blind to the
> traffic
>> anyway.
>>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, June 20, 2007 2:05 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Fw: Re: Web Filter with
HTTPS
>>
>> OK, so you are saying that if I unbind the
Web Filter from HTTPS, and
>> create
>> a pub rule for HTTPS, then the filter will
still be used for the Pub
>> rule?
>>
>> t
>>
>>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Jim Harrison
>> Sent: Wednesday, June 20, 2007 5:43 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Web Filter with HTTPS
>>
>> The web filter is the part that expects to
watch the HTTP traffic as
> it
>> flows through ISA.
>> With the exception of web publishing, HTTPS
traffic is effectively
>> invisible to ISA and therefore any policies
enacted via the web filter
>> (think HTTP Filter, too) cannot be applied
and ISA will default to
> "when
>> in doubt, trash it" mode.
>>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> On Behalf Of Thor (Hammer of God)
>> Sent: Wednesday, June 20, 2007 1:15 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Web Filter with HTTPS
>>
>> Just a sanity check here... why would all
HTTPS traffic fail if the
> Web
>> Filter was bound to the HTTPS protocol?
>>
>> t
>>
>> All mail to and from this domain is
GFI-scanned.
>>
>>
>>
>>
>> All mail to and from this domain is
GFI-scanned.
>>
>>
>
>
>
> All mail to and from this domain is
GFI-scanned.
>
>
All mail to and from this domain is GFI-scanned.
Other related posts:
