-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
(Hammer of God)
Sent: Wednesday, June 20, 2007 8:03 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
That's what I was on about...
However, things have changed now. I can indeed configure
HTTP on a HTTPS
rule even though HTTPS had "Web Filter" disabled. However, I
can't if HTTP
has "Web Filter" unbound. Both Steve and I saw this, but I'm
not going to
blame ISA voodoo for that: I guess we still had HTTP
unbound- but I would
swear we didn't. I'll take one for the home team on that one.
I'm going to have to write up a check-list and go through
again before I
continue on here.
t
----- Original Message -----
From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 5:55 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
Hey Jim,
Actually, if you unbind the Web Proxy Filter from the HTTP
protocol, the
HTTP Security Filter configuration option goes away. I
reported this bug
when ISA 2004 was in early beta. Never got fixed.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: Wednesday, June 20, 2007 7:52 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
> No.
> Yes.
> Maybe.
>
> The HTTPS protocol handles traffic destined for "port 443". This
> protocol definition is applied to SecureNET and FWC traffic *only*.
> CERN proxy client requests are handled by the Web Proxy
Filter, which
> natively understands HTTP and FTP as well as how to handle
SSL tunnels
> for HTTP. It *does not* use the protocol HTTP/HTTPS definitions.
> If you bind the Web Proxy Filter to a non-cleartext HTTP
> protocol or any
> non-HTTP protocol, the Web Proxy filter will poop loudly in your
> Cheerios.
>
> As far as your inability to "configure HTTP" in your web publisihing
> rules, I'd still like a TS to your machine. - something is very much
> amiss.
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thor (Hammer of God)
> Sent: Wednesday, June 20, 2007 5:46 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
> Bottom line on this - tell me:
>
> If you have "Web Filter" bound to HTTPS, can you make outbound HTTPS
> connections?
>
> That's really the whole question. On the network we're
> seeing this on,
> you cannot make outbound HTTPS connections if "Web Filter"
is bound to
> HTTPS. Let's start off in a simple manner, and see if that point is
> true or not in your config please...
>
> t
>
> ----- Original Message -----
> From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>
> To: isapros@xxxxxxxxxxxxx
> Sent: Wednesday, June 20, 2007 5:41 PM
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
> That should say:
>
> "When you unbind the Web Proxy Filter from the HTTP
> protocol......."
>
> whopps.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> MVP -- Microsoft Firewalls (ISA)
>
>
>
>
> ________________________________
>
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Wednesday, June 20, 2007 7:37 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
>
> No, you need to configure the HTTP Security Filter, and
> in order to configured the HTTP Security Filter, the Web
Proxy Filter
> must be enabled.
>
> Its always enabled for Web listeners
>
> It can unbound from the HTTP protocol, in which case the
> configuration interface for the HTTP Security Filter
> disappears, but you
> configuration changes remain intact.
>
> When you unbind the Web proxy filter from the HTTPS
> protocol, no Web caching or filtering is done for Firewall
clients or
> SecureNAT clients.
>
> Web proxy clients are always exposed to the Web proxy
> filter, even if you unbind it from the HTTP protocol.
>
> How's that?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> <http://tinyurl.com/3xqb7>
> MVP -- Microsoft Firewalls (ISA)
>
>
>
>
> ________________________________
>
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
> Sent: Wednesday, June 20, 2007 5:06 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with
> HTTPS
>
>
>
> If you're just publishing OWA and an RPC proxy
> over HTTPS, isn't any filter configuration automatically
> handled by ISA
> when running the Publish Mail Server wizard? As I
understood it, ISA
> knows that stuff inherently; no configuration necessary.
>
> Cordially yours,
> Jerry G. Young II ++ Sent from BlackBerry ++
> Application Engineer
> Platform Engineering and Architecture
> NTT America, an NTT Communications Company
>
> 22451 Shaw Rd.
> Sterling, VA 20166
>
> Office: 571-434-1319
> Fax: 703-333-6749
> Email: g.young@xxxxxxxx
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> <isapros-bounce@xxxxxxxxxxxxx>
> To: isapros@xxxxxxxxxxxxx
> <isapros@xxxxxxxxxxxxx>
> Sent: Wed Jun 20 17:52:18 2007
> Subject: [isapros] Re: Fw: Re: Web Filter with
> HTTPS
>
> We're all pendants here ;)
>
> Here is my specific question then:
>
> I want to publish HTTPS ie OWA for RPC and
> HTTPS. I obviously need to
> configure the HTTP Filter properties. If I have
> the Web Filter bound to
> HTTPS (iow, selected in the available filters
> under the protocl config) then
> ALL outbound HTTPS traffic breaks. Therefore,
> one has to un-bind the Web
> Filter from HTTPS for outbound to work (on this
> install).
>
> Ergo, since the Web Filter is not bound to the
> HTTPS protocol (in order for
> outbound to work), there is no way to select
> "Configure HTTP" from the
> properties of the web publishing rule.
>
> FromwhenthouNowThinketh, WTF is the deal on what
> properties of the filter
> are applied? See what I mean??
>
> t
>
> ----- Original Message -----
> From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> To: <isapros@xxxxxxxxxxxxx>
> Sent: Wednesday, June 20, 2007 2:31 PM
> Subject: [isapros] Re: Fw: Re: Web Filter with
> HTTPS
>
>
> > Not to be pedantic, but the published traffic
> being handled by the web
> > proxy isn't "HTTPS", it's "HTTP inside SSL"
> and ISA handles each layer
> > separately. By the time the web proxy is
> evaluating the HTTP traffic,
> > SSL is no longer a factor and it gets treated
> just like "plain old" HTTP
> > traffic.
> >
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thor (Hammer of God)
> > Sent: Wednesday, June 20, 2007 2:26 PM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: Fw: Re: Web Filter with
> HTTPS
> >
> > Then how do you configure the HTTP filtering
> on web pub rules if the Web
> >
> > Filter is not bound to HTTPS?
> >
> > t
> > ----- Original Message -----
> > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> > To: <isapros@xxxxxxxxxxxxx>
> > Sent: Wednesday, June 20, 2007 2:24 PM
> > Subject: [isapros] Re: Fw: Re: Web Filter with
> HTTPS
> >
> >
> >> Sorta..
> >> if it's a web pub rule, then the web proxy is
> already involved and no
> >> "protocol binding" is required.
> >> If it's a server pub rule, then ISA is
> effectively blind to the
> > traffic
> >> anyway.
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Thor (Hammer of God)
> >> Sent: Wednesday, June 20, 2007 2:05 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Fw: Re: Web Filter with
> HTTPS
> >>
> >> OK, so you are saying that if I unbind the
> Web Filter from HTTPS, and
> >> create
> >> a pub rule for HTTPS, then the filter will
> still be used for the Pub
> >> rule?
> >>
> >> t
> >>
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Jim Harrison
> >> Sent: Wednesday, June 20, 2007 5:43 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Web Filter with HTTPS
> >>
> >> The web filter is the part that expects to
> watch the HTTP traffic as
> > it
> >> flows through ISA.
> >> With the exception of web publishing, HTTPS
> traffic is effectively
> >> invisible to ISA and therefore any policies
> enacted via the web filter
> >> (think HTTP Filter, too) cannot be applied
> and ISA will default to
> > "when
> >> in doubt, trash it" mode.
> >>
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> On Behalf Of Thor (Hammer of God)
> >> Sent: Wednesday, June 20, 2007 1:15 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Web Filter with HTTPS
> >>
> >> Just a sanity check here... why would all
> HTTPS traffic fail if the
> > Web
> >> Filter was bound to the HTTPS protocol?
> >>
> >> t
> >>
> >> All mail to and from this domain is
> GFI-scanned.
> >>
> >>
> >>
> >>
> >> All mail to and from this domain is
> GFI-scanned.
> >>
> >>
> >
> >
> >
> > All mail to and from this domain is
> GFI-scanned.
> >
> >
>
>
>
>
>
> All mail to and from this domain is GFI-scanned.
>
>
>
>
