Welcome to ISAserver.org

SSH Tunnel through HTTPS??

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> General >> SSH Tunnel through HTTPS??

Page: [1]

Message

<< Older Topic Newer Topic >>

SSH Tunnel through HTTPS?? - 15.Oct.2007 3:02:10 PM

netwerkkdude

Posts: 4
Joined: 14.Oct.2007
Status: offline

Hi, all I recently replaced my LINUX firewall with ISA Server 2006, and now having issues when I SSH tunnel back to my home network.

In the past, from work I would port FW my SSH tunnel through my companies HTTPS (443) port to connect through to my home network's SSH server(listening on 443). Then from there I could surf, or IM through my SSH tunnel, and it would be from my home network.

I setup a rule on the new ISA box, that listnes to any HTTPS traffic (port 443) from the external network and directs it to my SSH server that is configured to listen on port 443.

With my last firewall this was enough and had worked for years. It is not working with ISA currently.

A colleague told me it might be because ISA has HTTP inspection on and sees that that SSH traffic is indeed not HTTPS traffic. Could this be the problem? If so, where do I turn this off? is it on by default?

Thank you!

Post #: 1

Featured Links*

RE: SSH Tunnel through HTTPS?? - 23.Oct.2007 4:53:06 PM

pwindell

Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

quote:

ORIGINAL: netwerkkdude
I setup a rule on the new ISA box, that listnes to any HTTPS traffic (port 443) from the external network and directs it to my SSH server that is configured to listen on port 443.

What "a rule"? Please be specific,...there are all kinds of Rules for all kinds of things. What kind of Rule? Exactly how did you ocnfigure it?

It sounds like you are going "from work --to you home", so why is the Rule using an Inbound Protocol?

What is an "SSH Server" sepcifically in this case and how does it fit into the process?

quote:

With my last firewall this was enough and had worked for years. It is not working with ISA currently.

ISA is a much more complex and more tightly secured product than a typical Hardware Firewall. More so than many would ever be willing to admit. So it is more complex to deal with when performing more "unusual" jobs.

quote:

A colleague told me it might be because ISA has HTTP inspection on and sees that that SSH traffic is indeed not HTTPS traffic. Could this be the problem? If so, where do I turn this off? is it on by default?

I doubt that is it. If this is an SSL stream with the SSH encapsulated into it, then it really is SSL as far as ISA is concerned. SSL is encrypted,...so ISA cannot get inside it to inspect it the way it can with HTTP. In fact this is why ISA limits SSL to port 443 by default and doesn't allow it on other ports. The was an industry recommendation. See Section #5 "Security Considerations" in the following article.

SSL Tunneling; Informational RFC
http://lists.w3.org/Archives/Public/ietf-http-wg-old/1997SepDec/0142.html

However if this is really not SSL, and is just the straight "naked" SSH...then that could be a problem. I'm really not sure how to deal with that off the top of my head. I'd have to think about that.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to netwerkkdude)

Post #: 2

RE: SSH Tunnel through HTTPS?? - 24.Oct.2007 12:12:53 PM

ferrix

Posts: 375
Joined: 16.Mar.2005
Status: offline

If you publish your ssh server with an application publishing rule on port 443 it seems that it should work. If you try to do a web publishing rule and try to pull in the SSL bridging and http inspection of ISA then that would clearly fail since inside the SSL tunnel is really not HTTP :)

(in reply to pwindell)

Post #: 3

RE: SSH Tunnel through HTTPS?? - 24.Oct.2007 12:44:46 PM