Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

128bit site access with ISA standard

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> 128bit site access with ISA standard Page: [1]
Login
Message << Older Topic   Newer Topic >>
128bit site access with ISA standard - 9.Feb.2001 10:52:00 PM   
Nwimbush

 

Posts: 25
Joined: 28.Jan.2001
From: Toronto, Ontario, Canada
Status: offline 		OK,

Ihave loaded both integrated and web cache only modes with the same problem - I can't accss 128 bit sites without the "allow all" rule activated. As soon as I try to limit site access to a destination set, i GET THE ERROR "PAGE CANNOT BE DISPLAYED".

I have tried several different configs, including the high encryption pack, server cerficate, and upgrading schannel.dll

I have recommended we roll back to the Beta3 version, as it supposedly works (before my time)for Monday.

Does this work? Any suggestions? Need help.

Nigel Wimbush
BSc, CNE, MCSE, Certified Interprovincial Communications Electrician (Local 353) Systems Engineer under contract to CIBC, Toronto, Canada.

Post #: 1
RE: 128bit site access with ISA standard - 10.Feb.2001 10:18:00 AM   
tshinder

 

Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline 		Nigel,

Hmmm. You're saying that ISA Server won't tunnel requests to 128 bit sites? That is a new one. I haven't run into this, but would be very interested in anyone else that's run into this problem.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/


(in reply to Nwimbush)
Post #: 2
RE: 128bit site access with ISA standard - 13.Feb.2001 6:17:00 AM   
Nwimbush

 

Posts: 25
Joined: 28.Jan.2001
From: Toronto, Ontario, Canada
Status: offline 		I now have two identical Proliant 5500R's, both running Standard Edition, one in Integrated mode, the other in Web Cache only, and neither can access 128 bit sites without the "Allow All" enabled.

I have tried combinations of bridging settings. I ahve tried different authentication settings. One server has the high encryption pack, the other doesn't. I have tried IP routing on and off, on both servers. I have tried reapplying W2k SP1, and running the encinst command to update Crypt32.dll and Schannel.dll - no change.

Tom, have you had a chance to look at this?

Nigel Wimbush


(in reply to Nwimbush)
Post #: 3
RE: 128bit site access with ISA standard - 13.Feb.2001 8:52:00 AM   
Nwimbush

 

Posts: 25
Joined: 28.Jan.2001
From: Toronto, Ontario, Canada
Status: offline 		Beta 3 works fine. I'll try RC1 next.

Nigel


(in reply to Nwimbush)
Post #: 4
RE: 128bit site access with ISA standard - 13.Feb.2001 9:15:00 AM   
tshinder

 

Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline 		Sounds like the problem is with bridging, and not with tunneling, so the ISA Server itself cannot seem to create a new 128 bit connection to the destination. Right?

I have heard that there is a certificate related hotfix for the final release that *might* fix these problem. Its not on the MS site yet, but it does fix problems with the final version, where there was no problem with the pre-release versions.

I'll have to test this out and see if I can replicate the problems.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/


(in reply to Nwimbush)
Post #: 5
RE: 128bit site access with ISA standard - 13.Feb.2001 5:20:00 PM   
Nwimbush

 

Posts: 25
Joined: 28.Jan.2001
From: Toronto, Ontario, Canada
Status: offline 		RC1 Enterprise edition works almost as well as the Beta 3 version - the popup login appears for sites not in the dest set. This did not occur with Beta3 Enterprise.


I'm going to try to find the Standard edition of RC1 tonite through MSDN, but for now, we have a solution to the 128 bit no-access.

I'll let you know if I'm successful with a) finding Standard edition RC1 b) if it works as well as the Enterprise edition with SSL.

The bank wants a fully redundant fault tolerant solution at a reasonable price - hence two sites each with 2 Standard edition servers clustered using W2k Network Load Balancing. We'll then Round Robin the 2 sites.

Nigel Wimbush


(in reply to Nwimbush)
Post #: 6
RE: 128bit site access with ISA standard - 13.Feb.2001 6:22:00 PM   
Nwimbush

 

Posts: 25
Joined: 28.Jan.2001
From: Toronto, Ontario, Canada
Status: offline 		No luck finding Standard Edition RC1 thru MSDN, and yes, we have a subscription. If you can provide details of either the hotfix or the location I might be able to grab the Standard Edition RC1, it would help.

I'm currently downloading 243mb of Enterprise edition??? What is that all about? Perhaps its 220mb of hotfix + ISA...

Nigel Wimbush


(in reply to Nwimbush)
Post #: 7
RE: 128bit site access with ISA standard - 14.Feb.2001 1:03:00 AM   
tshinder

 

Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline 		There are some issues with SSL that appeared in the final version that seemed to have worked OK in pre-release versions. The fix is not up on the site yet, but should be coming down the pike soon.

Soon as it goes up, we'll post it to the fixes link on the front page of this site.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/


(in reply to Nwimbush)
Post #: 8
RE: 128bit site access with ISA standard - 19.Feb.2001 3:10:00 PM   
Nwimbush

 

Posts: 25
Joined: 28.Jan.2001
From: Toronto, Ontario, Canada
Status: offline 		Tom,

Any word on the hotfix, yet?

I have been playing phone tag with Suzanne Nostrand, Product Manager
Internet Security and Acceleration (ISA) Server 2000
e-mail - suzannen@microsoft.com
phone - (425) 706-4697

and hope to have some resolve soon.

Nigel Wimbush
CIBC, Toronto, Canada


(in reply to Nwimbush)
Post #: 9
RE: 128bit site access with ISA standard - 19.Feb.2001 9:47:00 PM   
Guest
 I'm having similar problems with Access Policies (I think). If Access policies are set to "ANY REQUEST" I will be able to view SSL 128-bit, however, as soon as I restrict to User and Groups, I can no longer access SSL. Have 2nd checked users and groups were correct.

I'm hopping this is a MS error and not configuration on my side....


(in reply to Nwimbush)
  Post #: 10
RE: 128bit site access with ISA standard - 20.Feb.2001 8:05:00 AM   
tshinder

 

Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline 		I check the MSDN site everyday for this, but no hotfix in site. I still look everyday though, and we'll post it in the "fixes" section on isaserver.org when it comes out.

Tom

quote:
Originally posted by Nwimbush:
Tom,

Any word on the hotfix, yet?

I have been playing phone tag with Suzanne Nostrand, Product Manager
Internet Security and Acceleration (ISA) Server 2000
e-mail - suzannen@microsoft.com
phone - (425) 706-4697

and hope to have some resolve soon.

Nigel Wimbush
CIBC, Toronto, Canada


(in reply to Nwimbush)
Post #: 11
RE: 128bit site access with ISA standard - 26.Feb.2001 4:26:00 PM   
Guest
 Any word on this?

Thanks,

Jeremey


(in reply to Nwimbush)
  Post #: 12
RE: 128bit site access with ISA standard - 26.Feb.2001 6:16:00 PM   
tshinder

 

Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Jeremey,

Still not posted, but still looking!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/


(in reply to Nwimbush)
Post #: 13
RE: 128bit site access with ISA standard - 8.Mar.2001 4:33:00 AM   
Nwimbush

 

Posts: 25
Joined: 28.Jan.2001
From: Toronto, Ontario, Canada
Status: offline 		Have you heard of the fix yet? I have had no reply from Suzanne @ Microsoft...

Nigel Wimbush


(in reply to Nwimbush)
Post #: 14
RE: 128bit site access with ISA standard - 9.Mar.2001 10:40:00 AM   
tshinder

 

Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Nigel,

No word on its release, but I believe a number of fixes are in the process of final testing so hopefully they'll be out on the MS site soon.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/


(in reply to Nwimbush)
Post #: 15
RE: 128bit site access with ISA standard - 27.Mar.2001 5:55:00 PM   
Nwimbush

 

Posts: 25
Joined: 28.Jan.2001
From: Toronto, Ontario, Canada
Status: offline 		Tom,

Any new hotfixes out yet?

Nigel


(in reply to Nwimbush)
Post #: 16
RE: 128bit site access with ISA standard - 28.Mar.2001 10:57:00 AM   
tshinder

 

Posts: 47644
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Nigel,

There is isahf56.exe and isafh55.exe. The first one handles the following:

Q285812, 'Unable to configure or use SMTP filter when the decimal symbol'
Q292010, 'High memory consumption by SMTP message screener under stress'
Q292013, 'Unregistered fltrsnk1.dll still loads with inetinfo.exe'
Q292014, 'SMTP filter storage corrupted after deleting attachment'

The second one handles some problems with the QoS settings.

Nothing out on security yet.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/


(in reply to Nwimbush)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> 128bit site access with ISA standard Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts