[isapros] Re: Fw: Re: Web Filter with HTTPS
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Thu, 21 Jun 2007 09:47:02 -0500
Nope, no kicks. You asked a good question, followed up on answers, and
came to a conclusion by asking follow up questions that helped hone down
to the problem.
Now, if you had said "ISA broke my Internet" that would be another
matter ;)
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Thursday, June 21, 2007 9:25 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
> What, no kicks in the groin? I was sure that I'd at least
> take one in the
> lads from Stevo.... ;)
>
> t
>
> ----- Original Message -----
> From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> To: <isapros@xxxxxxxxxxxxx>
> Sent: Wednesday, June 20, 2007 7:15 PM
> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
>
>
> >I was totally wrong about the entire thing...
> >
> > In the config I was working on, HTTP was un-bound from the
> Web Filter. I
> > apparently got crossed up in my testing with it being on or
> off, and I
> > screwed myself.
> >
> > Binding of the Web Filter to HTTPS has no affect on the ability to
> > "Configure HTTP." Only binding of the Web Filter to HTTP does.
> >
> > I very much appreciate everyone's patience in working through this,
> > otherwise I would have just assumed there was some Voodoo
> going on and
> > blame everyone by myself.
> >
> > All that being said, you shouldn't be able to bind the Web
> Filter to
> > HTTPS, or if you do, it shouldn't break things knowing what
> we know ;)
> >
> > Thanks guys.
> > t
> >
> >
> > ----- Original Message -----
> > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > To: <isapros@xxxxxxxxxxxxx>
> > Sent: Wednesday, June 20, 2007 6:07 PM
> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >
> >
> > Remember that the *type* of rule is important.
> >
> > Access Rules -- Web Proxy filter unbound from HTTP, then no HTTP
> > Security Filter configuration
> >
> > Web Publishing Rules -- Web Proxy filter unbound from HTTP,
> then no HTTP
> > Security Filter configuration
> >
> > Web Publishing Rules apply the settings in the HTTP Security Filter
> > because ISA has access to the unencrypted HTTP since the
> SSL connection
> > terminates at the ISA firewall
> >
> > Access Rules does not use the Web Proxy filter or the HTTP Security
> > Filter, since the SSL connection doesn't terminate at the
> ISA Firewall
> > for outbound connections.
> >
> > HTH,
> > Tom
> >
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- Microsoft Firewalls (ISA)
> >
> >
> >
> >> -----Original Message-----
> >> From: isapros-bounce@xxxxxxxxxxxxx
> >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> >> (Hammer of God)
> >> Sent: Wednesday, June 20, 2007 8:03 PM
> >> To: isapros@xxxxxxxxxxxxx
> >> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >>
> >> That's what I was on about...
> >>
> >> However, things have changed now. I can indeed configure
> >> HTTP on a HTTPS
> >> rule even though HTTPS had "Web Filter" disabled. However, I
> >> can't if HTTP
> >> has "Web Filter" unbound. Both Steve and I saw this, but I'm
> >> not going to
> >> blame ISA voodoo for that: I guess we still had HTTP
> >> unbound- but I would
> >> swear we didn't. I'll take one for the home team on that one.
> >>
> >> I'm going to have to write up a check-list and go through
> >> again before I
> >> continue on here.
> >>
> >> t
> >>
> >>
> >> ----- Original Message -----
> >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> >> To: <isapros@xxxxxxxxxxxxx>
> >> Sent: Wednesday, June 20, 2007 5:55 PM
> >> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >>
> >>
> >> Hey Jim,
> >>
> >> Actually, if you unbind the Web Proxy Filter from the HTTP
> >> protocol, the
> >> HTTP Security Filter configuration option goes away. I
> >> reported this bug
> >> when ISA 2004 was in early beta. Never got fixed.
> >>
> >> Thomas W Shinder, M.D.
> >> Site: www.isaserver.org
> >> Blog: http://blogs.isaserver.org/shinder/
> >> Book: http://tinyurl.com/3xqb7
> >> MVP -- Microsoft Firewalls (ISA)
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: isapros-bounce@xxxxxxxxxxxxx
> >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> >> > Sent: Wednesday, June 20, 2007 7:52 PM
> >> > To: isapros@xxxxxxxxxxxxx
> >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >> >
> >> > No.
> >> > Yes.
> >> > Maybe.
> >> >
> >> > The HTTPS protocol handles traffic destined for "port 443". This
> >> > protocol definition is applied to SecureNET and FWC
> traffic *only*.
> >> > CERN proxy client requests are handled by the Web Proxy
> >> Filter, which
> >> > natively understands HTTP and FTP as well as how to handle
> >> SSL tunnels
> >> > for HTTP. It *does not* use the protocol HTTP/HTTPS definitions.
> >> > If you bind the Web Proxy Filter to a non-cleartext HTTP
> >> > protocol or any
> >> > non-HTTP protocol, the Web Proxy filter will poop loudly in your
> >> > Cheerios.
> >> >
> >> > As far as your inability to "configure HTTP" in your web
> publisihing
> >> > rules, I'd still like a TS to your machine. - something
> is very much
> >> > amiss.
> >> >
> >> > -----Original Message-----
> >> > From: isapros-bounce@xxxxxxxxxxxxx
> >> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> > On Behalf Of Thor (Hammer of God)
> >> > Sent: Wednesday, June 20, 2007 5:46 PM
> >> > To: isapros@xxxxxxxxxxxxx
> >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >> >
> >> > Bottom line on this - tell me:
> >> >
> >> > If you have "Web Filter" bound to HTTPS, can you make
> outbound HTTPS
> >> > connections?
> >> >
> >> > That's really the whole question. On the network we're
> >> > seeing this on,
> >> > you cannot make outbound HTTPS connections if "Web Filter"
> >> is bound to
> >> > HTTPS. Let's start off in a simple manner, and see if
> that point is
> >> > true or not in your config please...
> >> >
> >> > t
> >> >
> >> > ----- Original Message -----
> >> > From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>
> >> > To: isapros@xxxxxxxxxxxxx
> >> > Sent: Wednesday, June 20, 2007 5:41 PM
> >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >> >
> >> > That should say:
> >> >
> >> > "When you unbind the Web Proxy Filter from the HTTP
> >> > protocol......."
> >> >
> >> > whopps.
> >> >
> >> > Thomas W Shinder, M.D.
> >> > Site: www.isaserver.org
> >> > Blog: http://blogs.isaserver.org/shinder/
> >> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
> >> > MVP -- Microsoft Firewalls (ISA)
> >> >
> >> >
> >> >
> >> >
> >> > ________________________________
> >> >
> >> > From: isapros-bounce@xxxxxxxxxxxxx
> >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> Thomas W Shinder
> >> > Sent: Wednesday, June 20, 2007 7:37 PM
> >> > To: isapros@xxxxxxxxxxxxx
> >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS
> >> >
> >> >
> >> > No, you need to configure the HTTP Security Filter, and
> >> > in order to configured the HTTP Security Filter, the Web
> >> Proxy Filter
> >> > must be enabled.
> >> >
> >> > Its always enabled for Web listeners
> >> >
> >> > It can unbound from the HTTP protocol, in which case the
> >> > configuration interface for the HTTP Security Filter
> >> > disappears, but you
> >> > configuration changes remain intact.
> >> >
> >> > When you unbind the Web proxy filter from the HTTPS
> >> > protocol, no Web caching or filtering is done for Firewall
> >> clients or
> >> > SecureNAT clients.
> >> >
> >> > Web proxy clients are always exposed to the Web proxy
> >> > filter, even if you unbind it from the HTTP protocol.
> >> >
> >> > How's that?
> >> >
> >> > Thomas W Shinder, M.D.
> >> > Site: www.isaserver.org <http://www.isaserver.org/>
> >> > Blog: http://blogs.isaserver.org/shinder/
> >> > Book: http://tinyurl.com/3xqb7
> >> > <http://tinyurl.com/3xqb7>
> >> > MVP -- Microsoft Firewalls (ISA)
> >> >
> >> >
> >> >
> >> >
> >> > ________________________________
> >> >
> >> > From: isapros-bounce@xxxxxxxxxxxxx
> >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of
> Gerald G. Young
> >> > Sent: Wednesday, June 20, 2007 5:06 PM
> >> > To: isapros@xxxxxxxxxxxxx
> >> > Subject: [isapros] Re: Fw: Re: Web Filter with
> >> > HTTPS
> >> >
> >> >
> >> >
> >> > If you're just publishing OWA and an RPC proxy
> >> > over HTTPS, isn't any filter configuration automatically
> >> > handled by ISA
> >> > when running the Publish Mail Server wizard? As I
> >> understood it, ISA
> >> > knows that stuff inherently; no configuration necessary.
> >> >
> >> > Cordially yours,
> >> > Jerry G. Young II ++ Sent from BlackBerry ++
> >> > Application Engineer
> >> > Platform Engineering and Architecture
> >> > NTT America, an NTT Communications Company
> >> >
> >> > 22451 Shaw Rd.
> >> > Sterling, VA 20166
> >> >
> >> > Office: 571-434-1319
> >> > Fax: 703-333-6749
> >> > Email: g.young@xxxxxxxx
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: isapros-bounce@xxxxxxxxxxxxx
> >> > <isapros-bounce@xxxxxxxxxxxxx>
> >> > To: isapros@xxxxxxxxxxxxx
> >> > <isapros@xxxxxxxxxxxxx>
> >> > Sent: Wed Jun 20 17:52:18 2007
> >> > Subject: [isapros] Re: Fw: Re: Web Filter with
> >> > HTTPS
> >> >
> >> > We're all pendants here ;)
> >> >
> >> > Here is my specific question then:
> >> >
> >> > I want to publish HTTPS ie OWA for RPC and
> >> > HTTPS. I obviously need to
> >> > configure the HTTP Filter properties. If I have
> >> > the Web Filter bound to
> >> > HTTPS (iow, selected in the available filters
> >> > under the protocl config) then
> >> > ALL outbound HTTPS traffic breaks. Therefore,
> >> > one has to un-bind the Web
> >> > Filter from HTTPS for outbound to work (on this
> >> > install).
> >> >
> >> > Ergo, since the Web Filter is not bound to the
> >> > HTTPS protocol (in order for
> >> > outbound to work), there is no way to select
> >> > "Configure HTTP" from the
> >> > properties of the web publishing rule.
> >> >
> >> > FromwhenthouNowThinketh, WTF is the deal on what
> >> > properties of the filter
> >> > are applied? See what I mean??
> >> >
> >> > t
> >> >
> >> > ----- Original Message -----
> >> > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> >> > To: <isapros@xxxxxxxxxxxxx>
> >> > Sent: Wednesday, June 20, 2007 2:31 PM
> >> > Subject: [isapros] Re: Fw: Re: Web Filter with
> >> > HTTPS
> >> >
> >> >
> >> > > Not to be pedantic, but the published traffic
> >> > being handled by the web
> >> > > proxy isn't "HTTPS", it's "HTTP inside SSL"
> >> > and ISA handles each layer
> >> > > separately. By the time the web proxy is
> >> > evaluating the HTTP traffic,
> >> > > SSL is no longer a factor and it gets treated
> >> > just like "plain old" HTTP
> >> > > traffic.
> >> > >
> >> > > -----Original Message-----
> >> > > From: isapros-bounce@xxxxxxxxxxxxx
> >> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> > > On Behalf Of Thor (Hammer of God)
> >> > > Sent: Wednesday, June 20, 2007 2:26 PM
> >> > > To: isapros@xxxxxxxxxxxxx
> >> > > Subject: [isapros] Re: Fw: Re: Web Filter with
> >> > HTTPS
> >> > >
> >> > > Then how do you configure the HTTP filtering
> >> > on web pub rules if the Web
> >> > >
> >> > > Filter is not bound to HTTPS?
> >> > >
> >> > > t
> >> > > ----- Original Message -----
> >> > > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> >> > > To: <isapros@xxxxxxxxxxxxx>
> >> > > Sent: Wednesday, June 20, 2007 2:24 PM
> >> > > Subject: [isapros] Re: Fw: Re: Web Filter with
> >> > HTTPS
> >> > >
> >> > >
> >> > >> Sorta..
> >> > >> if it's a web pub rule, then the web proxy is
> >> > already involved and no
> >> > >> "protocol binding" is required.
> >> > >> If it's a server pub rule, then ISA is
> >> > effectively blind to the
> >> > > traffic
> >> > >> anyway.
> >> > >>
> >> > >> -----Original Message-----
> >> > >> From: isapros-bounce@xxxxxxxxxxxxx
> >> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> > >> On Behalf Of Thor (Hammer of God)
> >> > >> Sent: Wednesday, June 20, 2007 2:05 PM
> >> > >> To: isapros@xxxxxxxxxxxxx
> >> > >> Subject: [isapros] Fw: Re: Web Filter with
> >> > HTTPS
> >> > >>
> >> > >> OK, so you are saying that if I unbind the
> >> > Web Filter from HTTPS, and
> >> > >> create
> >> > >> a pub rule for HTTPS, then the filter will
> >> > still be used for the Pub
> >> > >> rule?
> >> > >>
> >> > >> t
> >> > >>
> >> > >>
> >> > >> -----Original Message-----
> >> > >> From: isapros-bounce@xxxxxxxxxxxxx
> >> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> > >> On Behalf Of Jim Harrison
> >> > >> Sent: Wednesday, June 20, 2007 5:43 PM
> >> > >> To: isapros@xxxxxxxxxxxxx
> >> > >> Subject: [isapros] Re: Web Filter with HTTPS
> >> > >>
> >> > >> The web filter is the part that expects to
> >> > watch the HTTP traffic as
> >> > > it
> >> > >> flows through ISA.
> >> > >> With the exception of web publishing, HTTPS
> >> > traffic is effectively
> >> > >> invisible to ISA and therefore any policies
> >> > enacted via the web filter
> >> > >> (think HTTP Filter, too) cannot be applied
> >> > and ISA will default to
> >> > > "when
> >> > >> in doubt, trash it" mode.
> >> > >>
> >> > >> -----Original Message-----
> >> > >> From: isapros-bounce@xxxxxxxxxxxxx
> >> > > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> >> > >> On Behalf Of Thor (Hammer of God)
> >> > >> Sent: Wednesday, June 20, 2007 1:15 PM
> >> > >> To: isapros@xxxxxxxxxxxxx
> >> > >> Subject: [isapros] Web Filter with HTTPS
> >> > >>
> >> > >> Just a sanity check here... why would all
> >> > HTTPS traffic fail if the
> >> > > Web
> >> > >> Filter was bound to the HTTPS protocol?
> >> > >>
> >> > >> t
> >> > >>
> >> > >> All mail to and from this domain is
> >> > GFI-scanned.
> >> > >>
> >> > >>
> >> > >>
> >> > >>
> >> > >> All mail to and from this domain is
> >> > GFI-scanned.
> >> > >>
> >> > >>
> >> > >
> >> > >
> >> > >
> >> > > All mail to and from this domain is
> >> > GFI-scanned.
> >> > >
> >> > >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > All mail to and from this domain is GFI-scanned.
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >>
> >>
> >
> >
>
>
>
>
Other related posts:
