Re: ISA 2004 Server Errors
From: Phillip Windell (_at_.)
Date: 01/27/05
- Next message: Phillip Windell: "Re: Can't get an IP address from DHCP after installing ISA2004"
- Previous message: Phillip Windell: "Re: Can't connect to SQL Server through ISA"
- In reply to: bsockel_at_omniamerican.org: "ISA 2004 Server Errors"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 27 Jan 2005 16:28:10 -0600
Can a user actually get to and functioanlly use a HTTPS site? If they can,
don't worry about it. I'm guessing that it is possible that ISA may filter
certain things out of a header for security reasons but still allow the
connection to function. A similar process happens all the time with SMTP
Headers, yet the message still goes through.
As a note, proxy server do not "process" the SSL connection the way the do
regular HTTP. Here's is a link to an article on that with the relevant
paragraph quoted below:
Tunneling SSL Through a WWW Proxy
http://muffin.doit.org/docs/rfc/tunneling_ssl.html
---------quote------------
Security Considerations
CONNECT is really a lower-level function than the rest of the HTTP methods,
kind of an escape mechanism for saying that the proxy should not interfere
with the transaction, but merely forward the data. This is because the proxy
should not need to know the entire URI that is being accessed (privacy,
security), only the information that it explicitly needs (hostname and port
number). Due to this fact, the proxy cannot verify that the protocol being
spoken is really SSL, and so the proxy configuration should explicitly limit
allowed connections to well-known SSL ports (such as 443 for HTTPS, 563 for
SNEWS, as assigned by the Internet Assigned Numbers Authority).
-------end quote----------
Other articles that are related:
SSL Tunneling; Informational RFC (pretty much the same article as above)
http://lists.w3.org/Archives/Public/ietf-http-wg-old/1997SepDec/0142.html
184028 - Error Message: 12204 SSL Port Specified Is Not Allowed
http://support.microsoft.com/default.aspx?scid=kb;en-us;184028
283284 - Blank Page or Page Cannot Be Displayed When You View SSL Sites
Through ISA Server
http://support.microsoft.com/default.aspx?scid=kb;en-us;283284
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com <bsockel@omniamerican.org> wrote in message news:1106844022.410176.270320@f14g2000cwb.googlegroups.com... > I have recently installed ISA Server 2004 in our network. It is setup > with a single leg Cache only system. > > I have setup my rules and i am able to get out to the internet using > this as my proxy. Currently we only have a select group of users using > the ISA server as a proxy. > > I am noticing in the logfile that we are getting alot of Failed > connection Attempts, and a good amount of these revolve around SSL > Connections to the internet sites. I have been unable to determine > what is causing this and if this will be a major issue once we push the > configuration out to all of our users. > > The errors that i am seeing are listed below: > HTTP Status Code 995 > Error Information: 0x88 > > Thanks > Bryan >
- Next message: Phillip Windell: "Re: Can't get an IP address from DHCP after installing ISA2004"
- Previous message: Phillip Windell: "Re: Can't connect to SQL Server through ISA"
- In reply to: bsockel_at_omniamerican.org: "ISA 2004 Server Errors"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
