Re: ISA configuration question

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Ben Winzenz [Exchange MVP] (ben_winzenz_at_NOSPAMdotmessageonedotcom)
Date: 09/20/04 

Date: Mon, 20 Sep 2004 09:27:34 -0500

Here's the info that I got that lead up to this question. Taken from:
http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddocs/en-us/isadocs/cmt_sslauth.mspx
In most cases, when an internal client uses HTTPS to request an object from
a server on the Internet, the ISA Server uses SSL tunneling to establish the
connection.

For clients that support secure communication directly with ISA Server, you
can configure routing rules to enable SSL bridging, instead. In this case,
the client uses HTTP or HTTPS to request an object from an external Web
server (on the Internet), connecting to the ISA Server on port 8080 or port
443, respectively (or whichever port is configured to listen for TCP and SSL
requests). A routing rule, which applies to the specified destination
server, specifies that the request should be redirected as an SSL request.

So I guess my question is, how do I configure a client to support secure
communication directly with the ISA server? Would I need to set up a
certificate on the ISA server? 

-- 
Ben Winzenz
Exchange MVP
"Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> wrote 
in message news:u1aHEYxnEHA.2764@TK2MSFTNGP11.phx.gbl...
> Thanks for responding.
>
> I'm referring to web proxy requests.  Internal client requests web content 
> from an external SSL website.  Is there a way to force ISA to bridge web 
> proxy connections, or is that not possible?  I don't want ISA to have the 
> content available, but I do want to have ISA inspect the contents of the 
> traffic.  From what I understand about ISA tunneling, once ISA initiates 
> the tunnel, the traffic basically goes directly from the client to the 
> external web server.  I've got a customer that is concerned about certain 
> file types, and blocks access to those file types for normal web browsing 
> for certain clients.  They would like to be able to block access to those 
> file types for SSL connections as well.  That is the reason for asking. 
> Again, thanks for responding.
> -- 
> Ben Winzenz
> Exchange MVP
>
>
> "Jim Harrison [MSFT]" <jmharr@online.microsoft.com> wrote in message 
> news:%23qSpi1SnEHA.3480@TK2MSFTNGP09.phx.gbl...
>> Are you talking about web published content (inbound requests to internal 
>> servers) or web proxy requests (outbound to external
>> servers)?
>> Web published content is indeed available for ISA perusal, but outbound 
>> requests are not.
>> ISA bridges web published traffic, but it tunnels web proxy SSL 
>> connections.
>> -- 
>> Jim Harrison [ISASE]
>> Read the help, books and articles!
>>
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>>
>>
>> "Ben Winzenz [Exchange MVP]" <ben_winzenz@NOSPAMdotmessageonedotcom> 
>> wrote in message news:OjW97iBnEHA.2948@TK2MSFTNGP11.phx.gbl...
>> I've got the following configuration.
>>
>> ISA server as proxy/firewall.  All external content is blocked except for 
>> sites that I choose.  Clients are configured with ISA as
>> the proxy in IE.  In ISA, I have set up a routing connection and applied 
>> it to only a specific destination set.  The destination set
>> is an IP range for an SSL website.  Action is set to retrieve the request 
>> directly from the specified destination.  Bridging is set
>> up to redirect HTTP requests as SSL requests, and SSL requests and SSL 
>> requests.  It is also set up to require 128-bt SSL (although
>> I've tried it unchecked as well).  I have also set up a protocol rule to 
>> allow HTTPS requests from a specific internal client set.
>> Some of the resources I have checked indicate that with this setup, ISA 
>> *should* still be able to inspect the content of the web
>> traffic because the client SSL request is being forwarded as a new SSL 
>> request from the ISA server.  In other words, it is not
>> tunneling the SSL request, rather bridging it.  What I need to find out 
>> are 2 things.
>>
>> 1.  Does this in fact allow ISA to still inspect the contents of the 
>> traffic?
>> 2.  If so, how can I prove that ISA is inspecting the traffic?
>>
>> If there are ANY other details you need about the ISA config, let me 
>> know.
>>
>> -- 
>> Ben Winzenz
>> Exchange MVP
>>
>>
>>
>
>

Relevant Pages

  • Re: ISA configuration question
    ... - create a certificate that uses either the name or IP of the ISA web proxy listener (depends on how you want the clients to ... - configure the web proxy listener to listen for SSL connections and choose the port you want ... For clients that support secure communication directly with ISA Server, ... > I'm referring to web proxy requests. ...
    (microsoft.public.isa.configuration)
  • Re: ISA configuration question
    ... I'm referring to web proxy requests. ... Internal client requests web content ... Is there a way to force ISA to bridge web ... SSL connections as well. ...
    (microsoft.public.isa.configuration)
  • Re: ISA 2006 - Request appear to come from the original client
    ... "Upstream" refers to the server being accessed by ISA on behalf of the ... this usually an Internet-based server. ... If you get a 404/12028 when you use "original client", ... the LAN with the "requests appear to come from original client" ...
    (microsoft.public.isa.publishing)
  • Re: ISA 2006 - Request appear to come from the original client
    ... ISA does not support traffic routing in a unihomed deployment. ... This is a unihomed web proxy only server. ... If you get a 404/12028 when you use "original client", ... the LAN with the "requests appear to come from original client" ...
    (microsoft.public.isa.publishing)
  • Re: web site
    ... ISA does all SSL on 443 not 2200. ... have to "hack" the registry to use other ports. ... The client is a firewall client and access the web through ...
    (microsoft.public.isa)