Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Java being blocked by ISA 2006
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Java being blocked by ISA 2006 - 1.Aug.2008 5:35:48 AM
|
|
|
ahassim
Posts: 19
Joined: 10.Jun.2008
Status: offline
|
Hi,
I seem to be having a problem accessing all internal and external websites and applications that use Java.
If I disable my proxy settings within Internet Explorer, the page loads fine but get the Java Applet failed when the proxy is enabled.
I have also tried adding these websites and IP ranges to the proxy exclusions but this does not help either.
Can anyone assist me in this matter?
Regards,
Aadil
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 1.Aug.2008 9:03:28 AM
|
|
|
paulo.oliveira
Posts: 838
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online
|
Hi,
most of java applets doesn´t support authentication.
Create another rule above your internet rule allowing anonymous access to these particulars web sites.
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 2.Aug.2008 10:02:11 AM
|
|
|
ahassim
Posts: 19
Joined: 10.Jun.2008
Status: offline
|
Hi Paulo,
Thank you for your response.
I've read about the workaround you mentioned below on the Microsoft ISA 2006 support website but was hoping there is an alternate way of doing this. Can it not be done by allowing the Java file extensions (.jav, .java, etc.) instead of having to define each site that requires a direct connection to allow Java?
Regards,
Aadil
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 5.Aug.2008 2:24:04 PM
|
|
|
ahassim
Posts: 19
Joined: 10.Jun.2008
Status: offline
|
Hi Paulo,
I definitely will try application/x-javascript - will let you know shortly if this works or not.
I have already tried the following:
text/x-java-source
text/java
text/x-java
application/ms-java
.jar, .jav, .java, .aspx
I retrieved some of the above information from http://filext.com/file-extension/JAVA.
Regards,
Aadil
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 11.Aug.2008 9:31:19 AM
|
|
|
ahassim
Posts: 19
Joined: 10.Jun.2008
Status: offline
|
Hi Paulo,
I have managed to create a Java content type that allows access to Java content. This eliminates the need to create an anonymous access rule and I feel is more secure as anonymous access defeats the purpose of have ISA in place.
I have included the following in the content type:
text/javascript
.js
Hope this helps.
Regards,
Aadil
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 11.Aug.2008 12:10:29 PM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Same problem as with Windows Media Player.
The problem is the Java JRE,..it cannot authenticate properly.
1. Undo everything you did so far and put tghings back the way they belong.
2. Set the JRE to not use a proxy. Use the "Java" icon in Control Panel. This is a "per user" thing,..so it must be repeated by every user who uses the same machine. There is no "global" setting.
3. Have the Firewall Client installed on the machine to handle authentication.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 11.Aug.2008 3:27:49 PM
|
|
|
paulo.oliveira
Posts: 838
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: online
|
Hi Aadil,
glad you make it! Thanks for sharing with us!
@Phillip,
in my opinion the Aadil solution is better. Like you said, you have to configure for each user...
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 11.Aug.2008 3:38:42 PM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
Doesn't the Content/Type require an anonymous Access Rule for that particular Content/Type?
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 11.Aug.2008 4:28:23 PM
|
|
|
ahassim
Posts: 19
Joined: 10.Jun.2008
Status: offline
|
Hi Phillip,
I decided to first try add the Java content inspection on the existing with (with AD integrated authentication) - most sites now work. I am still inspecting the content type of the sites that do not work and will add them in as I find them.
I prefer this method as I do not need to go around and install the firewall client or make changes to Java configuration on user machines. This will be too big a task to carry out to 2000 users.
Also, by setting Java to anonymous access, a rule will still need to be created to allow anonymous access to these websites. This defeats the purpose of URL filtering and these sites are now open to everybody.
Regards,
Aadil
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 11.Aug.2008 4:44:47 PM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
We are talking about two different issues then. Also don't confuse the difference of running a JavaScript -vs- running a Java Applet via the JRE JavaScript is just Client-Side Scripting that runs within the browser after the page is rendered by the browser,...an Java Applet is a compiled application running inside the Virtual Machine created by the JRE.
I am describing the issue with a Java Applet via the JRE not authenticating properly with a CERN Compliant Web Proxy (like the Web Proxy Service of ISA). It does not have anything to do with content types.
quote:
Also, by setting Java to anonymous access, a rule will still need to be created to allow anonymous access to these websites. This defeats the purpose of URL filtering and these sites are now open to everybody.
I was not describing the use of any anonymous rules nor having the JRE access anything anonymously. I was describing making the JRE "proxy agnostic" so that it does not know the proxy even exits. The Firewall Client software handles the authentication on behalf of the JRE without the JRE knowing that it is occuring. There is nothing anonymous.
Also if you run across sites that use Applets that communicate with TCP or UDP but is not using HTTP, then the Firewall Client is a requirement because:
1. The Web Proxy Service only works with HTTP/HTTPS and Read-Only FTP.
2. The SecureNAT Service cannot handle authentication. Therefore all SecureNAT communication is always anonymous,...it can' do anything else.
Therefore if the Applet in question does anything beyond HTTP or FTP and authentication is required,...then the Firewall Client is a requirement.
Using the Firewall Client should be considered more desirable,..not less desirable.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 12.Aug.2008 2:19:00 AM
|
|
|
ahassim
Posts: 19
Joined: 10.Jun.2008
Status: offline
|
Hi Phillip,
Thank you for your response.
I am not too familiar with the way the Javascript/Java applet is loaded into the browser - your description does clarify this quite a bit and makes sense to use the FWC if you do not want to add any anonymous access rules on ISA.
The FWC will overcome this problem but that means having to install the FWC on every machine - something my client does not want to do.
Are there any other options?
Regards,
Aadil
|
|
|
|
|
RE: Java being blocked by ISA 2006 - 12.Aug.2008 10:17:02 AM
|
|
|
pwindell
Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
The FWC will overcome this problem but that means having to install the FWC on every machine - something my client does not want to do.
Then they have become their own worst enemy and are, at least in part, the cause of their own problems.
It is up to you to educate them about why they need to change what they "want" and start installing the FWC.
Without the FWC all you get is:
1. the Web Proxy Service that supplies only HTTP/HTTPS and Read-only FTP. It allows no other protocols other than maybe Gofer (however you spell that).
2. the SecureNAT Service which is the least secure of the ISA Services and will not authenticate,...all traffic is anonymous.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
