Nope, no kicks. You asked a good question, followed up on answers, and came to a conclusion by asking follow up questions that helped hone down to the problem. Now, if you had said "ISA broke my Internet" that would be another matter ;) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Thursday, June 21, 2007 9:25 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > > What, no kicks in the groin? I was sure that I'd at least > take one in the > lads from Stevo.... ;) > > t > > ----- Original Message ----- > From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> > To: <isapros@xxxxxxxxxxxxx> > Sent: Wednesday, June 20, 2007 7:15 PM > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > > > >I was totally wrong about the entire thing... > > > > In the config I was working on, HTTP was un-bound from the > Web Filter. I > > apparently got crossed up in my testing with it being on or > off, and I > > screwed myself. > > > > Binding of the Web Filter to HTTPS has no affect on the ability to > > "Configure HTTP." Only binding of the Web Filter to HTTP does. > > > > I very much appreciate everyone's patience in working through this, > > otherwise I would have just assumed there was some Voodoo > going on and > > blame everyone by myself. > > > > All that being said, you shouldn't be able to bind the Web > Filter to > > HTTPS, or if you do, it shouldn't break things knowing what > we know ;) > > > > Thanks guys. > > t > > > > > > ----- Original Message ----- > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > To: <isapros@xxxxxxxxxxxxx> > > Sent: Wednesday, June 20, 2007 6:07 PM > > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > > > > > > Remember that the *type* of rule is important. > > > > Access Rules -- Web Proxy filter unbound from HTTP, then no HTTP > > Security Filter configuration > > > > Web Publishing Rules -- Web Proxy filter unbound from HTTP, > then no HTTP > > Security Filter configuration > > > > Web Publishing Rules apply the settings in the HTTP Security Filter > > because ISA has access to the unencrypted HTTP since the > SSL connection > > terminates at the ISA firewall > > > > Access Rules does not use the Web Proxy filter or the HTTP Security > > Filter, since the SSL connection doesn't terminate at the > ISA Firewall > > for outbound connections. > > > > HTH, > > Tom > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://blogs.isaserver.org/shinder/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- Microsoft Firewalls (ISA) > > > > > > > >> -----Original Message----- > >> From: isapros-bounce@xxxxxxxxxxxxx > >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > >> (Hammer of God) > >> Sent: Wednesday, June 20, 2007 8:03 PM > >> To: isapros@xxxxxxxxxxxxx > >> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > >> > >> That's what I was on about... > >> > >> However, things have changed now. I can indeed configure > >> HTTP on a HTTPS > >> rule even though HTTPS had "Web Filter" disabled. However, I > >> can't if HTTP > >> has "Web Filter" unbound. Both Steve and I saw this, but I'm > >> not going to > >> blame ISA voodoo for that: I guess we still had HTTP > >> unbound- but I would > >> swear we didn't. I'll take one for the home team on that one. > >> > >> I'm going to have to write up a check-list and go through > >> again before I > >> continue on here. > >> > >> t > >> > >> > >> ----- Original Message ----- > >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > >> To: <isapros@xxxxxxxxxxxxx> > >> Sent: Wednesday, June 20, 2007 5:55 PM > >> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > >> > >> > >> Hey Jim, > >> > >> Actually, if you unbind the Web Proxy Filter from the HTTP > >> protocol, the > >> HTTP Security Filter configuration option goes away. I > >> reported this bug > >> when ISA 2004 was in early beta. Never got fixed. > >> > >> Thomas W Shinder, M.D. > >> Site: www.isaserver.org > >> Blog: http://blogs.isaserver.org/shinder/ > >> Book: http://tinyurl.com/3xqb7 > >> MVP -- Microsoft Firewalls (ISA) > >> > >> > >> > >> > -----Original Message----- > >> > From: isapros-bounce@xxxxxxxxxxxxx > >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison > >> > Sent: Wednesday, June 20, 2007 7:52 PM > >> > To: isapros@xxxxxxxxxxxxx > >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > >> > > >> > No. > >> > Yes. > >> > Maybe. > >> > > >> > The HTTPS protocol handles traffic destined for "port 443". This > >> > protocol definition is applied to SecureNET and FWC > traffic *only*. > >> > CERN proxy client requests are handled by the Web Proxy > >> Filter, which > >> > natively understands HTTP and FTP as well as how to handle > >> SSL tunnels > >> > for HTTP. It *does not* use the protocol HTTP/HTTPS definitions. > >> > If you bind the Web Proxy Filter to a non-cleartext HTTP > >> > protocol or any > >> > non-HTTP protocol, the Web Proxy filter will poop loudly in your > >> > Cheerios. > >> > > >> > As far as your inability to "configure HTTP" in your web > publisihing > >> > rules, I'd still like a TS to your machine. - something > is very much > >> > amiss. > >> > > >> > -----Original Message----- > >> > From: isapros-bounce@xxxxxxxxxxxxx > >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> > On Behalf Of Thor (Hammer of God) > >> > Sent: Wednesday, June 20, 2007 5:46 PM > >> > To: isapros@xxxxxxxxxxxxx > >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > >> > > >> > Bottom line on this - tell me: > >> > > >> > If you have "Web Filter" bound to HTTPS, can you make > outbound HTTPS > >> > connections? > >> > > >> > That's really the whole question. On the network we're > >> > seeing this on, > >> > you cannot make outbound HTTPS connections if "Web Filter" > >> is bound to > >> > HTTPS. Let's start off in a simple manner, and see if > that point is > >> > true or not in your config please... > >> > > >> > t > >> > > >> > ----- Original Message ----- > >> > From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx> > >> > To: isapros@xxxxxxxxxxxxx > >> > Sent: Wednesday, June 20, 2007 5:41 PM > >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > >> > > >> > That should say: > >> > > >> > "When you unbind the Web Proxy Filter from the HTTP > >> > protocol......." > >> > > >> > whopps. > >> > > >> > Thomas W Shinder, M.D. > >> > Site: www.isaserver.org > >> > Blog: http://blogs.isaserver.org/shinder/ > >> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> > >> > MVP -- Microsoft Firewalls (ISA) > >> > > >> > > >> > > >> > > >> > ________________________________ > >> > > >> > From: isapros-bounce@xxxxxxxxxxxxx > >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Thomas W Shinder > >> > Sent: Wednesday, June 20, 2007 7:37 PM > >> > To: isapros@xxxxxxxxxxxxx > >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > >> > > >> > > >> > No, you need to configure the HTTP Security Filter, and > >> > in order to configured the HTTP Security Filter, the Web > >> Proxy Filter > >> > must be enabled. > >> > > >> > Its always enabled for Web listeners > >> > > >> > It can unbound from the HTTP protocol, in which case the > >> > configuration interface for the HTTP Security Filter > >> > disappears, but you > >> > configuration changes remain intact. > >> > > >> > When you unbind the Web proxy filter from the HTTPS > >> > protocol, no Web caching or filtering is done for Firewall > >> clients or > >> > SecureNAT clients. > >> > > >> > Web proxy clients are always exposed to the Web proxy > >> > filter, even if you unbind it from the HTTP protocol. > >> > > >> > How's that? > >> > > >> > Thomas W Shinder, M.D. > >> > Site: www.isaserver.org <http://www.isaserver.org/> > >> > Blog: http://blogs.isaserver.org/shinder/ > >> > Book: http://tinyurl.com/3xqb7 > >> > <http://tinyurl.com/3xqb7> > >> > MVP -- Microsoft Firewalls (ISA) > >> > > >> > > >> > > >> > > >> > ________________________________ > >> > > >> > From: isapros-bounce@xxxxxxxxxxxxx > >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of > Gerald G. Young > >> > Sent: Wednesday, June 20, 2007 5:06 PM > >> > To: isapros@xxxxxxxxxxxxx > >> > Subject: [isapros] Re: Fw: Re: Web Filter with > >> > HTTPS > >> > > >> > > >> > > >> > If you're just publishing OWA and an RPC proxy > >> > over HTTPS, isn't any filter configuration automatically > >> > handled by ISA > >> > when running the Publish Mail Server wizard? As I > >> understood it, ISA > >> > knows that stuff inherently; no configuration necessary. > >> > > >> > Cordially yours, > >> > Jerry G. Young II ++ Sent from BlackBerry ++ > >> > Application Engineer > >> > Platform Engineering and Architecture > >> > NTT America, an NTT Communications Company > >> > > >> > 22451 Shaw Rd. > >> > Sterling, VA 20166 > >> > > >> > Office: 571-434-1319 > >> > Fax: 703-333-6749 > >> > Email: g.young@xxxxxxxx > >> > > >> > > >> > -----Original Message----- > >> > From: isapros-bounce@xxxxxxxxxxxxx > >> > <isapros-bounce@xxxxxxxxxxxxx> > >> > To: isapros@xxxxxxxxxxxxx > >> > <isapros@xxxxxxxxxxxxx> > >> > Sent: Wed Jun 20 17:52:18 2007 > >> > Subject: [isapros] Re: Fw: Re: Web Filter with > >> > HTTPS > >> > > >> > We're all pendants here ;) > >> > > >> > Here is my specific question then: > >> > > >> > I want to publish HTTPS ie OWA for RPC and > >> > HTTPS. I obviously need to > >> > configure the HTTP Filter properties. If I have > >> > the Web Filter bound to > >> > HTTPS (iow, selected in the available filters > >> > under the protocl config) then > >> > ALL outbound HTTPS traffic breaks. Therefore, > >> > one has to un-bind the Web > >> > Filter from HTTPS for outbound to work (on this > >> > install). > >> > > >> > Ergo, since the Web Filter is not bound to the > >> > HTTPS protocol (in order for > >> > outbound to work), there is no way to select > >> > "Configure HTTP" from the > >> > properties of the web publishing rule. > >> > > >> > FromwhenthouNowThinketh, WTF is the deal on what > >> > properties of the filter > >> > are applied? See what I mean?? > >> > > >> > t > >> > > >> > ----- Original Message ----- > >> > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > >> > To: <isapros@xxxxxxxxxxxxx> > >> > Sent: Wednesday, June 20, 2007 2:31 PM > >> > Subject: [isapros] Re: Fw: Re: Web Filter with > >> > HTTPS > >> > > >> > > >> > > Not to be pedantic, but the published traffic > >> > being handled by the web > >> > > proxy isn't "HTTPS", it's "HTTP inside SSL" > >> > and ISA handles each layer > >> > > separately. By the time the web proxy is > >> > evaluating the HTTP traffic, > >> > > SSL is no longer a factor and it gets treated > >> > just like "plain old" HTTP > >> > > traffic. > >> > > > >> > > -----Original Message----- > >> > > From: isapros-bounce@xxxxxxxxxxxxx > >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> > > On Behalf Of Thor (Hammer of God) > >> > > Sent: Wednesday, June 20, 2007 2:26 PM > >> > > To: isapros@xxxxxxxxxxxxx > >> > > Subject: [isapros] Re: Fw: Re: Web Filter with > >> > HTTPS > >> > > > >> > > Then how do you configure the HTTP filtering > >> > on web pub rules if the Web > >> > > > >> > > Filter is not bound to HTTPS? > >> > > > >> > > t > >> > > ----- Original Message ----- > >> > > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> > >> > > To: <isapros@xxxxxxxxxxxxx> > >> > > Sent: Wednesday, June 20, 2007 2:24 PM > >> > > Subject: [isapros] Re: Fw: Re: Web Filter with > >> > HTTPS > >> > > > >> > > > >> > >> Sorta.. > >> > >> if it's a web pub rule, then the web proxy is > >> > already involved and no > >> > >> "protocol binding" is required. > >> > >> If it's a server pub rule, then ISA is > >> > effectively blind to the > >> > > traffic > >> > >> anyway. > >> > >> > >> > >> -----Original Message----- > >> > >> From: isapros-bounce@xxxxxxxxxxxxx > >> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> > >> On Behalf Of Thor (Hammer of God) > >> > >> Sent: Wednesday, June 20, 2007 2:05 PM > >> > >> To: isapros@xxxxxxxxxxxxx > >> > >> Subject: [isapros] Fw: Re: Web Filter with > >> > HTTPS > >> > >> > >> > >> OK, so you are saying that if I unbind the > >> > Web Filter from HTTPS, and > >> > >> create > >> > >> a pub rule for HTTPS, then the filter will > >> > still be used for the Pub > >> > >> rule? > >> > >> > >> > >> t > >> > >> > >> > >> > >> > >> -----Original Message----- > >> > >> From: isapros-bounce@xxxxxxxxxxxxx > >> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> > >> On Behalf Of Jim Harrison > >> > >> Sent: Wednesday, June 20, 2007 5:43 PM > >> > >> To: isapros@xxxxxxxxxxxxx > >> > >> Subject: [isapros] Re: Web Filter with HTTPS > >> > >> > >> > >> The web filter is the part that expects to > >> > watch the HTTP traffic as > >> > > it > >> > >> flows through ISA. > >> > >> With the exception of web publishing, HTTPS > >> > traffic is effectively > >> > >> invisible to ISA and therefore any policies > >> > enacted via the web filter > >> > >> (think HTTP Filter, too) cannot be applied > >> > and ISA will default to > >> > > "when > >> > >> in doubt, trash it" mode. > >> > >> > >> > >> -----Original Message----- > >> > >> From: isapros-bounce@xxxxxxxxxxxxx > >> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] > >> > >> On Behalf Of Thor (Hammer of God) > >> > >> Sent: Wednesday, June 20, 2007 1:15 PM > >> > >> To: isapros@xxxxxxxxxxxxx > >> > >> Subject: [isapros] Web Filter with HTTPS > >> > >> > >> > >> Just a sanity check here... why would all > >> > HTTPS traffic fail if the > >> > > Web > >> > >> Filter was bound to the HTTPS protocol? > >> > >> > >> > >> t > >> > >> > >> > >> All mail to and from this domain is > >> > GFI-scanned. > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> All mail to and from this domain is > >> > GFI-scanned. > >> > >> > >> > >> > >> > > > >> > > > >> > > > >> > > All mail to and from this domain is > >> > GFI-scanned. > >> > > > >> > > > >> > > >> > > >> > > >> > > >> > > >> > All mail to and from this domain is GFI-scanned. > >> > > >> > > >> > > >> > > >> > >> > >> > >> > > > > > > > >