[isapros] Re: Fw: Re: Web Filter with HTTPS
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Wed, 20 Jun 2007 20:07:22 -0500
Remember that the *type* of rule is important.
Access Rules -- Web Proxy filter unbound from HTTP, then no HTTP
Security Filter configuration
Web Publishing Rules -- Web Proxy filter unbound from HTTP, then no HTTP
Security Filter configuration
Web Publishing Rules apply the settings in the HTTP Security Filter
because ISA has access to the unencrypted HTTP since the SSL connection
terminates at the ISA firewall
Access Rules does not use the Web Proxy filter or the HTTP Security
Filter, since the SSL connection doesn't terminate at the ISA Firewall
for outbound connections.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Wednesday, June 20, 2007 8:03 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
> That's what I was on about...
>
> However, things have changed now. I can indeed configure
> HTTP on a HTTPS
> rule even though HTTPS had "Web Filter" disabled. However, I
> can't if HTTP
> has "Web Filter" unbound. Both Steve and I saw this, but I'm
> not going to
> blame ISA voodoo for that: I guess we still had HTTP
> unbound- but I would
> swear we didn't. I'll take one for the home team on that one.
>
> I'm going to have to write up a check-list and go through
> again before I
> continue on here.
>
> t
>
>
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: <isapros@xxxxxxxxxxxxx>
> Sent: Wednesday, June 20, 2007 5:55 PM
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
>
> Hey Jim,
>
> Actually, if you unbind the Web Proxy Filter from the HTTP
> protocol, the
> HTTP Security Filter configuration option goes away. I
> reported this bug
> when ISA 2004 was in early beta. Never got fixed.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> > Sent: Wednesday, June 20, 2007 7:52 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >
> > No.
> > Yes.
> > Maybe.
> >
> > The HTTPS protocol handles traffic destined for "port 443". This
> > protocol definition is applied to SecureNET and FWC traffic *only*.
> > CERN proxy client requests are handled by the Web Proxy
> Filter, which
> > natively understands HTTP and FTP as well as how to handle
> SSL tunnels
> > for HTTP. It *does not* use the protocol HTTP/HTTPS definitions.
> > If you bind the Web Proxy Filter to a non-cleartext HTTP
> > protocol or any
> > non-HTTP protocol, the Web Proxy filter will poop loudly in your
> > Cheerios.
> >
> > As far as your inability to "configure HTTP" in your web publisihing
> > rules, I'd still like a TS to your machine. - something is very much
> > amiss.
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thor (Hammer of God)
> > Sent: Wednesday, June 20, 2007 5:46 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >
> > Bottom line on this - tell me:
> >
> > If you have "Web Filter" bound to HTTPS, can you make outbound HTTPS
> > connections?
> >
> > That's really the whole question. On the network we're
> > seeing this on,
> > you cannot make outbound HTTPS connections if "Web Filter"
> is bound to
> > HTTPS. Let's start off in a simple manner, and see if that point is
> > true or not in your config please...
> >
> > t
> >
> > ----- Original Message -----
> > From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>
> > To: isapros@xxxxxxxxxxxxx
> > Sent: Wednesday, June 20, 2007 5:41 PM
> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >
> > That should say:
> >
> > "When you unbind the Web Proxy Filter from the HTTP
> > protocol......."
> >
> > whopps.
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> >
> >
> > ________________________________
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> > Sent: Wednesday, June 20, 2007 7:37 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >
> >
> > No, you need to configure the HTTP Security Filter, and
> > in order to configured the HTTP Security Filter, the Web
> Proxy Filter
> > must be enabled.
> >
> > Its always enabled for Web listeners
> >
> > It can unbound from the HTTP protocol, in which case the
> > configuration interface for the HTTP Security Filter
> > disappears, but you
> > configuration changes remain intact.
> >
> > When you unbind the Web proxy filter from the HTTPS
> > protocol, no Web caching or filtering is done for Firewall
> clients or
> > SecureNAT clients.
> >
> > Web proxy clients are always exposed to the Web proxy
> > filter, even if you unbind it from the HTTP protocol.
> >
> > How's that?
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/>
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > <http://tinyurl.com/3xqb7>
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> >
> >
> > ________________________________
> >
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
> > Sent: Wednesday, June 20, 2007 5:06 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Fw: Re: Web Filter with
> > HTTPS
> >
> >
> >
> > If you're just publishing OWA and an RPC proxy
> > over HTTPS, isn't any filter configuration automatically
> > handled by ISA
> > when running the Publish Mail Server wizard? As I
> understood it, ISA
> > knows that stuff inherently; no configuration necessary.
> >
> > Cordially yours,
> > Jerry G. Young II ++ Sent from BlackBerry ++
> > Application Engineer
> > Platform Engineering and Architecture
> > NTT America, an NTT Communications Company
> >
> > 22451 Shaw Rd.
> > Sterling, VA 20166
> >
> > Office: 571-434-1319
> > Fax: 703-333-6749
> > Email: g.young@xxxxxxxx
> >
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > <isapros-bounce@xxxxxxxxxxxxx>
> > To: isapros@xxxxxxxxxxxxx
> > <isapros@xxxxxxxxxxxxx>
> > Sent: Wed Jun 20 17:52:18 2007
> > Subject: [isapros] Re: Fw: Re: Web Filter with
> > HTTPS
> >
> > We're all pendants here ;)
> >
> > Here is my specific question then:
> >
> > I want to publish HTTPS ie OWA for RPC and
> > HTTPS. I obviously need to
> > configure the HTTP Filter properties. If I have
> > the Web Filter bound to
> > HTTPS (iow, selected in the available filters
> > under the protocl config) then
> > ALL outbound HTTPS traffic breaks. Therefore,
> > one has to un-bind the Web
> > Filter from HTTPS for outbound to work (on this
> > install).
> >
> > Ergo, since the Web Filter is not bound to the
> > HTTPS protocol (in order for
> > outbound to work), there is no way to select
> > "Configure HTTP" from the
> > properties of the web publishing rule.
> >
> > FromwhenthouNowThinketh, WTF is the deal on what
> > properties of the filter
> > are applied? See what I mean??
> >
> > t
> >
> > ----- Original Message -----
> > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> > To: <isapros@xxxxxxxxxxxxx>
> > Sent: Wednesday, June 20, 2007 2:31 PM
> > Subject: [isapros] Re: Fw: Re: Web Filter with
> > HTTPS
> >
> >
> > > Not to be pedantic, but the published traffic
> > being handled by the web
> > > proxy isn't "HTTPS", it's "HTTP inside SSL"
> > and ISA handles each layer
> > > separately. By the time the web proxy is
> > evaluating the HTTP traffic,
> > > SSL is no longer a factor and it gets treated
> > just like "plain old" HTTP
> > > traffic.
> > >
> > > -----Original Message-----
> > > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Thor (Hammer of God)
> > > Sent: Wednesday, June 20, 2007 2:26 PM
> > > To: isapros@xxxxxxxxxxxxx
> > > Subject: [isapros] Re: Fw: Re: Web Filter with
> > HTTPS
> > >
> > > Then how do you configure the HTTP filtering
> > on web pub rules if the Web
> > >
> > > Filter is not bound to HTTPS?
> > >
> > > t
> > > ----- Original Message -----
> > > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> > > To: <isapros@xxxxxxxxxxxxx>
> > > Sent: Wednesday, June 20, 2007 2:24 PM
> > > Subject: [isapros] Re: Fw: Re: Web Filter with
> > HTTPS
> > >
> > >
> > >> Sorta..
> > >> if it's a web pub rule, then the web proxy is
> > already involved and no
> > >> "protocol binding" is required.
> > >> If it's a server pub rule, then ISA is
> > effectively blind to the
> > > traffic
> > >> anyway.
> > >>
> > >> -----Original Message-----
> > >> From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > >> On Behalf Of Thor (Hammer of God)
> > >> Sent: Wednesday, June 20, 2007 2:05 PM
> > >> To: isapros@xxxxxxxxxxxxx
> > >> Subject: [isapros] Fw: Re: Web Filter with
> > HTTPS
> > >>
> > >> OK, so you are saying that if I unbind the
> > Web Filter from HTTPS, and
> > >> create
> > >> a pub rule for HTTPS, then the filter will
> > still be used for the Pub
> > >> rule?
> > >>
> > >> t
> > >>
> > >>
> > >> -----Original Message-----
> > >> From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > >> On Behalf Of Jim Harrison
> > >> Sent: Wednesday, June 20, 2007 5:43 PM
> > >> To: isapros@xxxxxxxxxxxxx
> > >> Subject: [isapros] Re: Web Filter with HTTPS
> > >>
> > >> The web filter is the part that expects to
> > watch the HTTP traffic as
> > > it
> > >> flows through ISA.
> > >> With the exception of web publishing, HTTPS
> > traffic is effectively
> > >> invisible to ISA and therefore any policies
> > enacted via the web filter
> > >> (think HTTP Filter, too) cannot be applied
> > and ISA will default to
> > > "when
> > >> in doubt, trash it" mode.
> > >>
> > >> -----Original Message-----
> > >> From: isapros-bounce@xxxxxxxxxxxxx
> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > >> On Behalf Of Thor (Hammer of God)
> > >> Sent: Wednesday, June 20, 2007 1:15 PM
> > >> To: isapros@xxxxxxxxxxxxx
> > >> Subject: [isapros] Web Filter with HTTPS
> > >>
> > >> Just a sanity check here... why would all
> > HTTPS traffic fail if the
> > > Web
> > >> Filter was bound to the HTTPS protocol?
> > >>
> > >> t
> > >>
> > >> All mail to and from this domain is
> > GFI-scanned.
> > >>
> > >>
> > >>
> > >>
> > >> All mail to and from this domain is
> > GFI-scanned.
> > >>
> > >>
> > >
> > >
> > >
> > > All mail to and from this domain is
> > GFI-scanned.
> > >
> > >
> >
> >
> >
> >
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> >
> >
>
>
>
>
Other related posts:
