Not the one in Australia? :-p -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Wednesday, June 20, 2007 5:58 PM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS You can *already* TS into the machine... It's the one in Bermuda ;) t ----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx> To: <isapros@xxxxxxxxxxxxx> Sent: Wednesday, June 20, 2007 5:52 PM Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > No. > Yes. > Maybe. > > The HTTPS protocol handles traffic destined for "port 443". This > protocol definition is applied to SecureNET and FWC traffic *only*. > CERN proxy client requests are handled by the Web Proxy Filter, which > natively understands HTTP and FTP as well as how to handle SSL tunnels > for HTTP. It *does not* use the protocol HTTP/HTTPS definitions. > If you bind the Web Proxy Filter to a non-cleartext HTTP protocol or any > non-HTTP protocol, the Web Proxy filter will poop loudly in your > Cheerios. > > As far as your inability to "configure HTTP" in your web publisihing > rules, I'd still like a TS to your machine. - something is very much > amiss. > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] > On Behalf Of Thor (Hammer of God) > Sent: Wednesday, June 20, 2007 5:46 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > > Bottom line on this - tell me: > > If you have "Web Filter" bound to HTTPS, can you make outbound HTTPS > connections? > > That's really the whole question. On the network we're seeing this on, > you cannot make outbound HTTPS connections if "Web Filter" is bound to > HTTPS. Let's start off in a simple manner, and see if that point is > true or not in your config please... > > t > > ----- Original Message ----- > From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx> > To: isapros@xxxxxxxxxxxxx > Sent: Wednesday, June 20, 2007 5:41 PM > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > > That should say: > > "When you unbind the Web Proxy Filter from the HTTP > protocol......." > > whopps. > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > MVP -- Microsoft Firewalls (ISA) > > > > > ________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder > Sent: Wednesday, June 20, 2007 7:37 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > > > No, you need to configure the HTTP Security Filter, and > in order to configured the HTTP Security Filter, the Web Proxy Filter > must be enabled. > > Its always enabled for Web listeners > > It can unbound from the HTTP protocol, in which case the > configuration interface for the HTTP Security Filter disappears, but you > configuration changes remain intact. > > When you unbind the Web proxy filter from the HTTPS > protocol, no Web caching or filtering is done for Firewall clients or > SecureNAT clients. > > Web proxy clients are always exposed to the Web proxy > filter, even if you unbind it from the HTTP protocol. > > How's that? > > Thomas W Shinder, M.D. > Site: www.isaserver.org <http://www.isaserver.org/> > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > <http://tinyurl.com/3xqb7> > MVP -- Microsoft Firewalls (ISA) > > > > > ________________________________ > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young > Sent: Wednesday, June 20, 2007 5:06 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Fw: Re: Web Filter with > HTTPS > > > > If you're just publishing OWA and an RPC proxy > over HTTPS, isn't any filter configuration automatically handled by ISA > when running the Publish Mail Server wizard? As I understood it, ISA > knows that stuff inherently; no configuration necessary. > > Cordially yours, > Jerry G. Young II ++ Sent from BlackBerry ++ > Application Engineer > Platform Engineering and Architecture > NTT America, an NTT Communications Company > > 22451 Shaw Rd. > Sterling, VA 20166 > > Office: 571-434-1319 > Fax: 703-333-6749 > Email: g.young@xxxxxxxx > > > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > <isapros-bounce@xxxxxxxxxxxxx> > To: isapros@xxxxxxxxxxxxx > <isapros@xxxxxxxxxxxxx> > Sent: Wed Jun 20 17:52:18 2007 > Subject: [isapros] Re: Fw: Re: Web Filter with > HTTPS > > We're all pendants here ;) > > Here is my specific question then: > > I want to publish HTTPS ie OWA for RPC and > HTTPS. I obviously need to > configure the HTTP Filter properties. If I have > the Web Filter bound to > HTTPS (iow, selected in the available filters > under the protocl config) then > ALL outbound HTTPS traffic breaks. Therefore, > one has to un-bind the Web > Filter from HTTPS for outbound to work (on this > install). > > Ergo, since the Web Filter is not bound to the > HTTPS protocol (in order for > outbound to work), there is no way to select > "Configure HTTP" from the > properties of the web publishing rule. > > FromwhenthouNowThinketh, WTF is the deal on what > properties of the filter > are applied? See what I mean?? > > t > > ----- Original Message ----- > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > To: <isapros@xxxxxxxxxxxxx> > Sent: Wednesday, June 20, 2007 2:31 PM > Subject: [isapros] Re: Fw: Re: Web Filter with > HTTPS > > > > Not to be pedantic, but the published traffic > being handled by the web > > proxy isn't "HTTPS", it's "HTTP inside SSL" > and ISA handles each layer > > separately. By the time the web proxy is > evaluating the HTTP traffic, > > SSL is no longer a factor and it gets treated > just like "plain old" HTTP > > traffic. > > > > -----Original Message----- > > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] > > On Behalf Of Thor (Hammer of God) > > Sent: Wednesday, June 20, 2007 2:26 PM > > To: isapros@xxxxxxxxxxxxx > > Subject: [isapros] Re: Fw: Re: Web Filter with > HTTPS > > > > Then how do you configure the HTTP filtering > on web pub rules if the Web > > > > Filter is not bound to HTTPS? > > > > t > > ----- Original Message ----- > > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > > To: <isapros@xxxxxxxxxxxxx> > > Sent: Wednesday, June 20, 2007 2:24 PM > > Subject: [isapros] Re: Fw: Re: Web Filter with > HTTPS > > > > > >> Sorta.. > >> if it's a web pub rule, then the web proxy is > already involved and no > >> "protocol binding" is required. > >> If it's a server pub rule, then ISA is > effectively blind to the > > traffic > >> anyway. > >> > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> On Behalf Of Thor (Hammer of God) > >> Sent: Wednesday, June 20, 2007 2:05 PM > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Fw: Re: Web Filter with > HTTPS > >> > >> OK, so you are saying that if I unbind the > Web Filter from HTTPS, and > >> create > >> a pub rule for HTTPS, then the filter will > still be used for the Pub > >> rule? > >> > >> t > >> > >> > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> On Behalf Of Jim Harrison > >> Sent: Wednesday, June 20, 2007 5:43 PM > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Re: Web Filter with HTTPS > >> > >> The web filter is the part that expects to > watch the HTTP traffic as > > it > >> flows through ISA. > >> With the exception of web publishing, HTTPS > traffic is effectively > >> invisible to ISA and therefore any policies > enacted via the web filter > >> (think HTTP Filter, too) cannot be applied > and ISA will default to > > "when > >> in doubt, trash it" mode. > >> > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> On Behalf Of Thor (Hammer of God) > >> Sent: Wednesday, June 20, 2007 1:15 PM > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Web Filter with HTTPS > >> > >> Just a sanity check here... why would all > HTTPS traffic fail if the > > Web > >> Filter was bound to the HTTPS protocol? > >> > >> t > >> > >> All mail to and from this domain is > GFI-scanned. > >> > >> > >> > >> > >> All mail to and from this domain is > GFI-scanned. > >> > >> > > > > > > > > All mail to and from this domain is > GFI-scanned. > > > > > > > > > > All mail to and from this domain is GFI-scanned. > > All mail to and from this domain is GFI-scanned.