I just had to kick the perms! t----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: <isapros@xxxxxxxxxxxxx> Sent: Thursday, June 21, 2007 7:47 AM Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS Nope, no kicks. You asked a good question, followed up on answers, and came to a conclusion by asking follow up questions that helped hone downto the problem.
Now, if you had said "ISA broke my Internet" that would be another matter ;) Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA)
-----Original Message-----From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God)Sent: Thursday, June 21, 2007 9:25 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: Fw: Re: Web Filter with HTTPSWhat, no kicks in the groin? I was sure that I'd at least take one in the lads from Stevo.... ;)t----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>To: <isapros@xxxxxxxxxxxxx> Sent: Wednesday, June 20, 2007 7:15 PM Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS >I was totally wrong about the entire thing... >> In the config I was working on, HTTP was un-bound from the Web Filter. I > apparently got crossed up in my testing with it being on or off, and I > screwed myself.>> Binding of the Web Filter to HTTPS has no affect on the ability to > "Configure HTTP." Only binding of the Web Filter to HTTP does.>> I very much appreciate everyone's patience in working through this, > otherwise I would have just assumed there was some Voodoo going on and > blame everyone by myself.>> All that being said, you shouldn't be able to bind the Web Filter to > HTTPS, or if you do, it shouldn't break things knowing what we know ;)> > Thanks guys. > t > >> ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>> To: <isapros@xxxxxxxxxxxxx> > Sent: Wednesday, June 20, 2007 6:07 PM > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS > > > Remember that the *type* of rule is important. > > Access Rules -- Web Proxy filter unbound from HTTP, then no HTTP > Security Filter configuration >> Web Publishing Rules -- Web Proxy filter unbound from HTTP, then no HTTP> Security Filter configuration > > Web Publishing Rules apply the settings in the HTTP Security Filter> because ISA has access to the unencrypted HTTP since the SSL connection> terminates at the ISA firewall > > Access Rules does not use the Web Proxy filter or the HTTP Security> Filter, since the SSL connection doesn't terminate at the ISA Firewall> for outbound connections. > > HTH, > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- Microsoft Firewalls (ISA) > > > >> -----Original Message----- >> From: isapros-bounce@xxxxxxxxxxxxx >> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >> (Hammer of God) >> Sent: Wednesday, June 20, 2007 8:03 PM >> To: isapros@xxxxxxxxxxxxx >> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS >> >> That's what I was on about... >> >> However, things have changed now. I can indeed configure >> HTTP on a HTTPS >> rule even though HTTPS had "Web Filter" disabled. However, I >> can't if HTTP >> has "Web Filter" unbound. Both Steve and I saw this, but I'm >> not going to >> blame ISA voodoo for that: I guess we still had HTTP >> unbound- but I would >> swear we didn't. I'll take one for the home team on that one. >> >> I'm going to have to write up a check-list and go through >> again before I >> continue on here. >> >> t >> >>>> ----- Original Message ----- >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>>> To: <isapros@xxxxxxxxxxxxx> >> Sent: Wednesday, June 20, 2007 5:55 PM >> Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS >> >> >> Hey Jim, >> >> Actually, if you unbind the Web Proxy Filter from the HTTP >> protocol, the >> HTTP Security Filter configuration option goes away. I >> reported this bug >> when ISA 2004 was in early beta. Never got fixed. >> >> Thomas W Shinder, M.D. >> Site: www.isaserver.org >> Blog: http://blogs.isaserver.org/shinder/ >> Book: http://tinyurl.com/3xqb7 >> MVP -- Microsoft Firewalls (ISA) >> >> >> >> > -----Original Message----- >> > From: isapros-bounce@xxxxxxxxxxxxx >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison >> > Sent: Wednesday, June 20, 2007 7:52 PM >> > To: isapros@xxxxxxxxxxxxx >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS >> > >> > No. >> > Yes. >> > Maybe. >> > >> > The HTTPS protocol handles traffic destined for "port 443". This>> > protocol definition is applied to SecureNET and FWC traffic *only*.>> > CERN proxy client requests are handled by the Web Proxy >> Filter, which >> > natively understands HTTP and FTP as well as how to handle >> SSL tunnels >> > for HTTP. It *does not* use the protocol HTTP/HTTPS definitions. >> > If you bind the Web Proxy Filter to a non-cleartext HTTP >> > protocol or any >> > non-HTTP protocol, the Web Proxy filter will poop loudly in your >> > Cheerios. >> >>> > As far as your inability to "configure HTTP" in your web publisihing >> > rules, I'd still like a TS to your machine. - something is very much>> > amiss. >> > >> > -----Original Message----- >> > From: isapros-bounce@xxxxxxxxxxxxx >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] >> > On Behalf Of Thor (Hammer of God) >> > Sent: Wednesday, June 20, 2007 5:46 PM >> > To: isapros@xxxxxxxxxxxxx >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS >> > >> > Bottom line on this - tell me: >> >>> > If you have "Web Filter" bound to HTTPS, can you make outbound HTTPS>> > connections? >> > >> > That's really the whole question. On the network we're >> > seeing this on, >> > you cannot make outbound HTTPS connections if "Web Filter" >> is bound to>> > HTTPS. Let's start off in a simple manner, and see if that point is>> > true or not in your config please... >> > >> > t >> >>> > ----- Original Message ----- >> > From: Thomas W Shinder <mailto:tshinder@xxxxxxxxxxx>>> > To: isapros@xxxxxxxxxxxxx >> > Sent: Wednesday, June 20, 2007 5:41 PM >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS >> > >> > That should say: >> > >> > "When you unbind the Web Proxy Filter from the HTTP >> > protocol......." >> > >> > whopps. >> > >> > Thomas W Shinder, M.D. >> > Site: www.isaserver.org >> > Blog: http://blogs.isaserver.org/shinder/ >> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> >> > MVP -- Microsoft Firewalls (ISA) >> > >> > >> > >> > >> > ________________________________ >> > >> > From: isapros-bounce@xxxxxxxxxxxxx>> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder>> > Sent: Wednesday, June 20, 2007 7:37 PM >> > To: isapros@xxxxxxxxxxxxx >> > Subject: [isapros] Re: Fw: Re: Web Filter with HTTPS >> > >> > >> > No, you need to configure the HTTP Security Filter, and >> > in order to configured the HTTP Security Filter, the Web >> Proxy Filter >> > must be enabled. >> > >> > Its always enabled for Web listeners >> > >> > It can unbound from the HTTP protocol, in which case the >> > configuration interface for the HTTP Security Filter >> > disappears, but you >> > configuration changes remain intact. >> > >> > When you unbind the Web proxy filter from the HTTPS >> > protocol, no Web caching or filtering is done for Firewall >> clients or >> > SecureNAT clients. >> > >> > Web proxy clients are always exposed to the Web proxy >> > filter, even if you unbind it from the HTTP protocol. >> > >> > How's that? >> > >> > Thomas W Shinder, M.D. >> > Site: www.isaserver.org <http://www.isaserver.org/> >> > Blog: http://blogs.isaserver.org/shinder/ >> > Book: http://tinyurl.com/3xqb7 >> > <http://tinyurl.com/3xqb7> >> > MVP -- Microsoft Firewalls (ISA) >> > >> > >> > >> > >> > ________________________________ >> > >> > From: isapros-bounce@xxxxxxxxxxxxx>> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Gerald G. Young>> > Sent: Wednesday, June 20, 2007 5:06 PM >> > To: isapros@xxxxxxxxxxxxx >> > Subject: [isapros] Re: Fw: Re: Web Filter with >> > HTTPS >> > >> > >> > >> > If you're just publishing OWA and an RPC proxy >> > over HTTPS, isn't any filter configuration automatically >> > handled by ISA >> > when running the Publish Mail Server wizard? As I >> understood it, ISA >> > knows that stuff inherently; no configuration necessary. >> > >> > Cordially yours, >> > Jerry G. Young II ++ Sent from BlackBerry ++ >> > Application Engineer >> > Platform Engineering and Architecture >> > NTT America, an NTT Communications Company >> > >> > 22451 Shaw Rd. >> > Sterling, VA 20166 >> > >> > Office: 571-434-1319 >> > Fax: 703-333-6749 >> > Email: g.young@xxxxxxxx >> > >> > >> > -----Original Message----- >> > From: isapros-bounce@xxxxxxxxxxxxx >> > <isapros-bounce@xxxxxxxxxxxxx> >> > To: isapros@xxxxxxxxxxxxx >> > <isapros@xxxxxxxxxxxxx> >> > Sent: Wed Jun 20 17:52:18 2007 >> > Subject: [isapros] Re: Fw: Re: Web Filter with >> > HTTPS >> > >> > We're all pendants here ;) >> > >> > Here is my specific question then: >> > >> > I want to publish HTTPS ie OWA for RPC and >> > HTTPS. I obviously need to >> > configure the HTTP Filter properties. If I have >> > the Web Filter bound to >> > HTTPS (iow, selected in the available filters >> > under the protocl config) then >> > ALL outbound HTTPS traffic breaks. Therefore, >> > one has to un-bind the Web >> > Filter from HTTPS for outbound to work (on this >> > install). >> > >> > Ergo, since the Web Filter is not bound to the >> > HTTPS protocol (in order for >> > outbound to work), there is no way to select >> > "Configure HTTP" from the >> > properties of the web publishing rule. >> > >> > FromwhenthouNowThinketh, WTF is the deal on what >> > properties of the filter >> > are applied? See what I mean?? >> > >> > t >> > >> > ----- Original Message ----- >> > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> >> > To: <isapros@xxxxxxxxxxxxx> >> > Sent: Wednesday, June 20, 2007 2:31 PM >> > Subject: [isapros] Re: Fw: Re: Web Filter with >> > HTTPS >> > >> > >> > > Not to be pedantic, but the published traffic >> > being handled by the web >> > > proxy isn't "HTTPS", it's "HTTP inside SSL" >> > and ISA handles each layer >> > > separately. By the time the web proxy is >> > evaluating the HTTP traffic, >> > > SSL is no longer a factor and it gets treated >> > just like "plain old" HTTP >> > > traffic. >> > > >> > > -----Original Message----- >> > > From: isapros-bounce@xxxxxxxxxxxxx >> > [mailto:isapros-bounce@xxxxxxxxxxxxx] >> > > On Behalf Of Thor (Hammer of God) >> > > Sent: Wednesday, June 20, 2007 2:26 PM >> > > To: isapros@xxxxxxxxxxxxx >> > > Subject: [isapros] Re: Fw: Re: Web Filter with >> > HTTPS >> > > >> > > Then how do you configure the HTTP filtering >> > on web pub rules if the Web >> > > >> > > Filter is not bound to HTTPS? >> > > >> > > t >> > > ----- Original Message ----- >> > > From: "Jim Harrison" <Jim@xxxxxxxxxxxx> >> > > To: <isapros@xxxxxxxxxxxxx> >> > > Sent: Wednesday, June 20, 2007 2:24 PM >> > > Subject: [isapros] Re: Fw: Re: Web Filter with >> > HTTPS >> > > >> > > >> > >> Sorta.. >> > >> if it's a web pub rule, then the web proxy is >> > already involved and no >> > >> "protocol binding" is required. >> > >> If it's a server pub rule, then ISA is >> > effectively blind to the >> > > traffic >> > >> anyway. >> > >> >> > >> -----Original Message----- >> > >> From: isapros-bounce@xxxxxxxxxxxxx >> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] >> > >> On Behalf Of Thor (Hammer of God) >> > >> Sent: Wednesday, June 20, 2007 2:05 PM >> > >> To: isapros@xxxxxxxxxxxxx >> > >> Subject: [isapros] Fw: Re: Web Filter with >> > HTTPS >> > >> >> > >> OK, so you are saying that if I unbind the >> > Web Filter from HTTPS, and >> > >> create >> > >> a pub rule for HTTPS, then the filter will >> > still be used for the Pub >> > >> rule? >> > >> >> > >> t >> > >> >> > >> >> > >> -----Original Message----- >> > >> From: isapros-bounce@xxxxxxxxxxxxx >> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] >> > >> On Behalf Of Jim Harrison >> > >> Sent: Wednesday, June 20, 2007 5:43 PM >> > >> To: isapros@xxxxxxxxxxxxx >> > >> Subject: [isapros] Re: Web Filter with HTTPS >> > >> >> > >> The web filter is the part that expects to >> > watch the HTTP traffic as >> > > it >> > >> flows through ISA. >> > >> With the exception of web publishing, HTTPS >> > traffic is effectively >> > >> invisible to ISA and therefore any policies >> > enacted via the web filter >> > >> (think HTTP Filter, too) cannot be applied >> > and ISA will default to >> > > "when >> > >> in doubt, trash it" mode. >> > >> >> > >> -----Original Message----- >> > >> From: isapros-bounce@xxxxxxxxxxxxx >> > > [mailto:isapros-bounce@xxxxxxxxxxxxx] >> > >> On Behalf Of Thor (Hammer of God) >> > >> Sent: Wednesday, June 20, 2007 1:15 PM >> > >> To: isapros@xxxxxxxxxxxxx >> > >> Subject: [isapros] Web Filter with HTTPS >> > >> >> > >> Just a sanity check here... why would all >> > HTTPS traffic fail if the >> > > Web >> > >> Filter was bound to the HTTPS protocol? >> > >> >> > >> t >> > >> >> > >> All mail to and from this domain is >> > GFI-scanned. >> > >> >> > >> >> > >> >> > >> >> > >> All mail to and from this domain is >> > GFI-scanned. >> > >> >> > >> >> > > >> > > >> > > >> > > All mail to and from this domain is >> > GFI-scanned. >> > > >> > > >> > >> > >> > >> > >> > >> > All mail to and from this domain is GFI-scanned. >> > >> > >> > >> > >> >> >> >> >>