[isapros] Re: Fw: Re: Web Filter with HTTPS
- From: "Gerald G. Young" <g.young@xxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 21 Jun 2007 10:29:20 -0400
Are you secretly a masochist? :) Asking for a bit of a beating?
Seriously. :)
*boot to the groin!*
There. Feel better? :)
It was a good discussion, though. :)
Cordially yours,
Jerry G. Young II
Application Engineer
Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thor (Hammer of God)
Sent: Thursday, June 21, 2007 10:25 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
What, no kicks in the groin? I was sure that I'd at least take one in
the
lads from Stevo.... ;)
t
----- Original Message -----
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx>
Sent: Wednesday, June 20, 2007 7:15 PM
Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>I was totally wrong about the entire thing...
>
> In the config I was working on, HTTP was un-bound from the Web Filter.
I
> apparently got crossed up in my testing with it being on or off, and I
> screwed myself.
>
> Binding of the Web Filter to HTTPS has no affect on the ability to
> "Configure HTTP." Only binding of the Web Filter to HTTP does.
>
> I very much appreciate everyone's patience in working through this,
> otherwise I would have just assumed there was some Voodoo going on and
> blame everyone by myself.
>
> All that being said, you shouldn't be able to bind the Web Filter to
> HTTPS, or if you do, it shouldn't break things knowing what we know ;)
>
> Thanks guys.
> t
>
>
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: <isapros@xxxxxxxxxxxxx>
> Sent: Wednesday, June 20, 2007 6:07 PM
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
>
> Remember that the *type* of rule is important.
>
> Access Rules -- Web Proxy filter unbound from HTTP, then no HTTP
> Security Filter configuration
>
> Web Publishing Rules -- Web Proxy filter unbound from HTTP, then no
HTTP
> Security Filter configuration
>
> Web Publishing Rules apply the settings in the HTTP Security Filter
> because ISA has access to the unencrypted HTTP since the SSL
connection
> terminates at the ISA firewall
>
> Access Rules does not use the Web Proxy filter or the HTTP Security
> Filter, since the SSL connection doesn't terminate at the ISA Firewall
> for outbound connections.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
>
>> -----Original Message-----
>> From: isapros-bounce@xxxxxxxxxxxxx
>> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>> (Hammer of God)
>> Sent: Wednesday, June 20, 2007 8:03 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>>
>> That's what I was on about...
>>
>> However, things have changed now. I can indeed configure
>> HTTP on a HTTPS
>> rule even though HTTPS had "Web Filter" disabled. However, I
>> can't if HTTP
>> has "Web Filter" unbound. Both Steve and I saw this, but I'm
>> not going to
>> blame ISA voodoo for that: I guess we still had HTTP
>> unbound- but I would
>> swear we didn't. I'll take one for the home team on that one.
>>
>> I'm going to have to write up a check-list and go through
>> again before I
>> continue on here.
>>
>> t
>>
>>
>> ----- Original Message -----
>> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
>> To: <isapros@xxxxxxxxxxxxx>
>> Sent: Wednesday, June 20, 2007 5:55 PM
>> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>>
>>
>> Hey Jim,
>>
>> Actually, if you unbind the Web Proxy Filter from the HTTP
>> protocol, the
>> HTTP Security Filter configuration option goes away. I
>> reported this bug
>> when ISA 2004 was in early beta. Never got fixed.
>>
>> Thomas W Shinder, M.D.
>> Site: www.isaserver.org
>> Blog: http://blogs.isaserver.org/shinder/
>> Book: http://tinyurl.com/3xqb7
>> MVP -- Microsoft Firewalls (ISA)
>>
>>
>>
>> > -----Original Message-----
>> > From: isapros-bounce@xxxxxxxxxxxxx
>> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>> > Sent: Wednesday, June 20, 2007 7:52 PM
>> > To: isapros@xxxxxxxxxxxxx
>> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>> >
>> > No.
>> > Yes.
>> > Maybe.
>> >
>> > The HTTPS protocol handles traffic destined for "port 443". This
>> > protocol definition is applied to SecureNET and FWC traffic *only*.
>> > CERN proxy client requests are handled by the Web Proxy
>> Filter, which
>> > natively understands HTTP and FTP as well as how to handle
>> SSL tunnels
>> > for HTTP. It *does not* use the protocol HTTP/HTTPS definitions.
>> > If you bind the Web Proxy Filter to a non-cleartext HTTP
>> > protocol or any
>> > non-HTTP protocol, the Web Proxy filter will poop loudly in your
>> > Cheerios.
>> >
>> > As far as your inability to "configure HTTP" in your web
publisihing
>> > rules, I'd still like a TS to your machine. - something is very
much
>> > amiss.
>> >
>> > -----Original Message-----
>> > From: isapros-bounce@xxxxxxxxxxxxx
>> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> > On Behalf Of Thor (Hammer of God)
>> > Sent: Wednesday, June 20, 2007 5:46 PM
>> > To: isapros@xxxxxxxxxxxxx
>> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>> >
>> > Bottom line on this - tell me:
>> >
>> > If you have "Web Filter" bound to HTTPS, can you make outbound
HTTPS
>> > connections?
>> >
>> > That's really the whole question. On the network we're
>> > seeing this on,
>> > you cannot make outbound HTTPS connections if "Web Filter"
>> is bound to
>> > HTTPS. Let's start off in a simple manner, and see if that point
is
>> > true or not in your config please...
>> >
>> > t
>> >
>> > ----- Original Message -----
>> > From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>
>> > To: isapros@xxxxxxxxxxxxx
>> > Sent: Wednesday, June 20, 2007 5:41 PM
>> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>> >
>> > That should say:
>> >
>> > "When you unbind the Web Proxy Filter from the HTTP
>> > protocol......."
>> >
>> > whopps.
>> >
>> > Thomas W Shinder, M.D.
>> > Site: www.isaserver.org
>> > Blog: http://blogs.isaserver.org/shinder/
>> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
>> > MVP -- Microsoft Firewalls (ISA)
>> >
>> >
>> >
>> >
>> > ________________________________
>> >
>> > From: isapros-bounce@xxxxxxxxxxxxx
>> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
>> > Sent: Wednesday, June 20, 2007 7:37 PM
>> > To: isapros@xxxxxxxxxxxxx
>> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>> >
>> >
>> > No, you need to configure the HTTP Security Filter, and
>> > in order to configured the HTTP Security Filter, the Web
>> Proxy Filter
>> > must be enabled.
>> >
>> > Its always enabled for Web listeners
>> >
>> > It can unbound from the HTTP protocol, in which case the
>> > configuration interface for the HTTP Security Filter
>> > disappears, but you
>> > configuration changes remain intact.
>> >
>> > When you unbind the Web proxy filter from the HTTPS
>> > protocol, no Web caching or filtering is done for Firewall
>> clients or
>> > SecureNAT clients.
>> >
>> > Web proxy clients are always exposed to the Web proxy
>> > filter, even if you unbind it from the HTTP protocol.
>> >
>> > How's that?
>> >
>> > Thomas W Shinder, M.D.
>> > Site: www.isaserver.org <http://www.isaserver.org/>
>> > Blog: http://blogs.isaserver.org/shinder/
>> > Book: http://tinyurl.com/3xqb7
>> > <http://tinyurl.com/3xqb7>
>> > MVP -- Microsoft Firewalls (ISA)
>> >
>> >
>> >
>> >
>> > ________________________________
>> >
>> > From: isapros-bounce@xxxxxxxxxxxxx
>> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young
>> > Sent: Wednesday, June 20, 2007 5:06 PM
>> > To: isapros@xxxxxxxxxxxxx
>> > Subject: [isapros] Re: Fw: Re: Web Filter with
>> > HTTPS
>> >
>> >
>> >
>> > If you're just publishing OWA and an RPC proxy
>> > over HTTPS, isn't any filter configuration automatically
>> > handled by ISA
>> > when running the Publish Mail Server wizard? As I
>> understood it, ISA
>> > knows that stuff inherently; no configuration necessary.
>> >
>> > Cordially yours,
>> > Jerry G. Young II ++ Sent from BlackBerry ++
>> > Application Engineer
>> > Platform Engineering and Architecture
>> > NTT America, an NTT Communications Company
>> >
>> > 22451 Shaw Rd.
>> > Sterling, VA 20166
>> >
>> > Office: 571-434-1319
>> > Fax: 703-333-6749
>> > Email: g.young@xxxxxxxx
>> >
>> >
>> > -----Original Message-----
>> > From: isapros-bounce@xxxxxxxxxxxxx
>> > <isapros-bounce@xxxxxxxxxxxxx>
>> > To: isapros@xxxxxxxxxxxxx
>> > <isapros@xxxxxxxxxxxxx>
>> > Sent: Wed Jun 20 17:52:18 2007
>> > Subject: [isapros] Re: Fw: Re: Web Filter with
>> > HTTPS
>> >
>> > We're all pendants here ;)
>> >
>> > Here is my specific question then:
>> >
>> > I want to publish HTTPS ie OWA for RPC and
>> > HTTPS. I obviously need to
>> > configure the HTTP Filter properties. If I have
>> > the Web Filter bound to
>> > HTTPS (iow, selected in the available filters
>> > under the protocl config) then
>> > ALL outbound HTTPS traffic breaks. Therefore,
>> > one has to un-bind the Web
>> > Filter from HTTPS for outbound to work (on this
>> > install).
>> >
>> > Ergo, since the Web Filter is not bound to the
>> > HTTPS protocol (in order for
>> > outbound to work), there is no way to select
>> > "Configure HTTP" from the
>> > properties of the web publishing rule.
>> >
>> > FromwhenthouNowThinketh, WTF is the deal on what
>> > properties of the filter
>> > are applied? See what I mean??
>> >
>> > t
>> >
>> > ----- Original Message -----
>> > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
>> > To: <isapros@xxxxxxxxxxxxx>
>> > Sent: Wednesday, June 20, 2007 2:31 PM
>> > Subject: [isapros] Re: Fw: Re: Web Filter with
>> > HTTPS
>> >
>> >
>> > > Not to be pedantic, but the published traffic
>> > being handled by the web
>> > > proxy isn't "HTTPS", it's "HTTP inside SSL"
>> > and ISA handles each layer
>> > > separately. By the time the web proxy is
>> > evaluating the HTTP traffic,
>> > > SSL is no longer a factor and it gets treated
>> > just like "plain old" HTTP
>> > > traffic.
>> > >
>> > > -----Original Message-----
>> > > From: isapros-bounce@xxxxxxxxxxxxx
>> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> > > On Behalf Of Thor (Hammer of God)
>> > > Sent: Wednesday, June 20, 2007 2:26 PM
>> > > To: isapros@xxxxxxxxxxxxx
>> > > Subject: [isapros] Re: Fw: Re: Web Filter with
>> > HTTPS
>> > >
>> > > Then how do you configure the HTTP filtering
>> > on web pub rules if the Web
>> > >
>> > > Filter is not bound to HTTPS?
>> > >
>> > > t
>> > > ----- Original Message -----
>> > > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
>> > > To: <isapros@xxxxxxxxxxxxx>
>> > > Sent: Wednesday, June 20, 2007 2:24 PM
>> > > Subject: [isapros] Re: Fw: Re: Web Filter with
>> > HTTPS
>> > >
>> > >
>> > >> Sorta..
>> > >> if it's a web pub rule, then the web proxy is
>> > already involved and no
>> > >> "protocol binding" is required.
>> > >> If it's a server pub rule, then ISA is
>> > effectively blind to the
>> > > traffic
>> > >> anyway.
>> > >>
>> > >> -----Original Message-----
>> > >> From: isapros-bounce@xxxxxxxxxxxxx
>> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> > >> On Behalf Of Thor (Hammer of God)
>> > >> Sent: Wednesday, June 20, 2007 2:05 PM
>> > >> To: isapros@xxxxxxxxxxxxx
>> > >> Subject: [isapros] Fw: Re: Web Filter with
>> > HTTPS
>> > >>
>> > >> OK, so you are saying that if I unbind the
>> > Web Filter from HTTPS, and
>> > >> create
>> > >> a pub rule for HTTPS, then the filter will
>> > still be used for the Pub
>> > >> rule?
>> > >>
>> > >> t
>> > >>
>> > >>
>> > >> -----Original Message-----
>> > >> From: isapros-bounce@xxxxxxxxxxxxx
>> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> > >> On Behalf Of Jim Harrison
>> > >> Sent: Wednesday, June 20, 2007 5:43 PM
>> > >> To: isapros@xxxxxxxxxxxxx
>> > >> Subject: [isapros] Re: Web Filter with HTTPS
>> > >>
>> > >> The web filter is the part that expects to
>> > watch the HTTP traffic as
>> > > it
>> > >> flows through ISA.
>> > >> With the exception of web publishing, HTTPS
>> > traffic is effectively
>> > >> invisible to ISA and therefore any policies
>> > enacted via the web filter
>> > >> (think HTTP Filter, too) cannot be applied
>> > and ISA will default to
>> > > "when
>> > >> in doubt, trash it" mode.
>> > >>
>> > >> -----Original Message-----
>> > >> From: isapros-bounce@xxxxxxxxxxxxx
>> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
>> > >> On Behalf Of Thor (Hammer of God)
>> > >> Sent: Wednesday, June 20, 2007 1:15 PM
>> > >> To: isapros@xxxxxxxxxxxxx
>> > >> Subject: [isapros] Web Filter with HTTPS
>> > >>
>> > >> Just a sanity check here... why would all
>> > HTTPS traffic fail if the
>> > > Web
>> > >> Filter was bound to the HTTPS protocol?
>> > >>
>> > >> t
>> > >>
>> > >> All mail to and from this domain is
>> > GFI-scanned.
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> All mail to and from this domain is
>> > GFI-scanned.
>> > >>
>> > >>
>> > >
>> > >
>> > >
>> > > All mail to and from this domain is
>> > GFI-scanned.
>> > >
>> > >
>> >
>> >
>> >
>> >
>> >
>> > All mail to and from this domain is GFI-scanned.
>> >
>> >
>> >
>> >
>>
>>
>>
>>
>
>
Other related posts: