• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

bug in system policy?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> bug in system policy? Page: [1]
Login
Message << Older Topic   Newer Topic >>
bug in system policy? - 9.Jan.2008 6:13:01 PM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
Correct me if I'm wrong. I always thought system policy is used to grant access for Isa server itself and have nothing to do with the access rules created after that.
Has anyone had this problem: I used the template edge firewall with the Web Only option for internal clients.
In system policy I allowed ISA to go online to the microsoft updates sites. If you try a microsoft update it reaches the site you click on Custom and then an error. It doesn't move past that point.
If I go in the Web only Access rule and in the FROM I also add (Local Host) aside from the Internal which is put by the rule itself, then updates from ISA server work.
I always thought that you do that with a system policy and no need to do anything with the system access policies for the ISA server itself. No?

thanks
Post #: 1
RE: bug in system policy? - 10.Jan.2008 9:55:18 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
That's true, but if you want system policy only to work, you need to configure the ISA Firewall to allow Web proxy access from the local host network.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to remushociota)
Post #: 2
RE: bug in system policy? - 10.Jan.2008 2:35:54 PM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
Thanks Tom for the clarification.

I know this is off topic but I hope you might be able to give me a small guidance on a problem that is driving me nuts.
I remember you once saying that for outside clients once connected through SSL it's ssl all the way.
What I don't uderstand is how can one escape the https when you only want to use it for an authentication page or a credit card payment page.
So you have your website in HTTP. when a user wants to log in to the site (via a site login page not windows authentication with IIS ok?)  you send him to a HTTPS page. Once credentials are verified you would want to direct him to a normal HTTP page correct? Well I can't do that to save my life.
And I am thinking at hotmail.com you have secure login and then you are redirected to a http page and I would assume Microsoft is protecting their servers with ISA no? If they did it there must be a way to do it... but how?
After that HTTPS page any request for a HTTP is ignored and user is sent to HTTPS all the time.

please please help me :)

(in reply to tshinder)
Post #: 3
RE: bug in system policy? - 13.Jan.2008 11:33:50 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The redirection is to a different URL. The log on page is https://www.domain.comand/login.asp  the redirect is to http://www.domain.com/default.htm

So, you have one HTTP rule and one HTTPS rule.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to remushociota)
Post #: 4
RE: bug in system policy? - 15.Jan.2008 5:56:21 PM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
Hi Tom and thanks for the tip.
Indeed I got it working like that for that website. The key was to create 2 different web listeners one for http and one for https and in paths for the https one only to add the link to that login page. Using your example to /login.asp

However this is my problem now. I have another site that is not so simple like the ones we used as examples. It is build using PRADO php framework and everything passes through the index.php file in the root of the website. And inside a .htaccess file in the root you specify the redirections.
To give an example. Say I want to go to admin section which you need to make them login first on HTTPS. Problem is there isn't any admin/login.php there but everything is done via the index.php in root. And inside the .htaccess file you have a redirection like this:
RewriteRule ^admin[/]?$   /index.php?page=admin.Login   [L]
RewriteRule ^admin/main[/]?$ /index.php?page=admin.MainPage  [L]

Meaning when you type http://www.domain.com/admin you basically get sent to http://www.domain.com//index.php?page=admin.Login Which checks to see if it's http and redirects to https://www.domain.com//index.php?page=admin.Login where if login and pass are good you get sent to http://www.domain.com/index.php?page=admin.MainPage

Problem in this case is how you publish this?
Because in the HTTPS listener I can just specify files no? Meaning /index.php which in this case will not work (as I need to have the login page unique for the https).
Can I also specify variables after a file? Meaning adding in paths somthing like this /index.php?page=admin.MainPage which will be different of course from just /index.php

Any idea Tom?

< Message edited by remushociota -- 3.Feb.2008 10:45:53 PM >

(in reply to tshinder)
Post #: 5
RE: bug in system policy? - 16.Jan.2008 9:09:05 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Not the Listener, but the Web Publishing Rule that will use the Listener can specify specific files in the Paths tab.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to remushociota)
Post #: 6
RE: bug in system policy? - 16.Jan.2008 10:19:17 AM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
I'm sorry I formulated it wrong.
I meant in the https rule that uses the https listener, in its path I can specify it.

But the main issue remains. How can you do what I asked?
Can you specify parameters after a file name, like /index.php?page=admin.MainPage  ??
The rest I described in my previous post. Any idea?

(in reply to tshinder)
Post #: 7
RE: bug in system policy? - 17.Jan.2008 10:19:54 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Why not?

Tom


_____________________________

Thomas W Shinder, M.D.

(in reply to remushociota)
Post #: 8
RE: bug in system policy? - 17.Jan.2008 11:06:12 AM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
Well again maybe I was not clear enough...
I mean you can specify parameters but I think ISA does not take that into account.
Meaning /index.php?page=admin.MainPage is the same as /index.php for ISA.
Would you know anything about that?

The key to successfull publication was that on the https rule you have the name of a file like /logon.asp and the redirect is to a different file name like /default.htm
If the file name is the same it doesn't work. But I wonder if the file name has a different parameter will ISA consider it the same "file name" or not... meaning /index.php?page=admin.MainPage and /index.php?page=admin.Login are they like 2 different files for ISA or not?
It is strange... either I am the only one here with PHP sites written in PRADO (as they all work the same way because of the prado platform, everything is directed through the /index.php and then a parameter) or I am so stupid and can't get this to work. So any help is much appreciated.

thanks

(in reply to tshinder)
Post #: 9
RE: bug in system policy? - 17.Jan.2008 3:13:10 PM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
Tom I will also include in this post the following:

To take this out of the theory field if you are willing to try it out yourself take a look and see that it doesn't work.
The only thing is that you need PHP on the server you want to publish. I would assume you have that up and running.

So what I try to demonstrate is (and I will try to formulate it as clear as I can): If you want to publish a site that uses both http and https, and you use a redirect in the code to a https page for login, after the user is validated you must send him to a different file name than the one used for login, otherwise it won't work. Which in the case of Prado is not possible because all requests are being passed initially through the same file name.
Also (and very important) for ISA the file index.php?parameter1 counts as the same file name as index.php?parameter2 for the purposes I mentioned above. So it does not take into account the parameters to consider as a different file.

So try this on your server and tell me if it works or how you would publish it.

Create a site www.site.com on your server. Create a test file called test1.php with the following code in it (of course change everywhere www.site.com with the name you will use)

<?php 
if($_SERVER['HTTPS'] != 'on') {
header('Location: https://www.site.com/test1.php?page=login');
   exit();
}
if($_POST['submitted']) {
// validate user
   header('Location: http://www.site.com/test1.php?page=mainpage');
   exit(); 
}  
if($_GET['page']) { 
echo "You are in " . $_GET['page'] . " page";

?>
<form name="form1" action="test1.php" method="post">
<input type="hidden" name="submitted" value="1" />
Username: <input type="text" name="username" /><br />
Password: <input type="text" name="password" /> <br /><br />
<input type="submit">
</form>

As we use this for simulation some explanations:
The first part checks if you are entering the page via http or https. If it is http it sends you to https.
Then we have a form. It's bogus just put anything in it and press the button.
In the page I also show where I'm at just so we know. The first time I am in "You are in login page".
When you press the button what happens? Here is the point where ISA brakes this... if you look it should send you to http://www.site.com/test1.php?page=mainpage but instead it sends me still on HTTPS.
So I can not escape https to save my life! If in here for example it would have been a redirection to http://www.site.com/test2.php then it works!

To publish this I created one http listener and one https listener. The http listener only has port 80 active. The https listener only has port 443 active. I used no authetication in listener and in publish rule I used no delegation and clients cannot autheticate directly. And the rule is for ALL users.

And then I created 2 rules. One for http and one for https.
In the http rule under paths I entered /*
In the https rule under paths I entered /test1.php
Also in the rule under bridging for http I have just the HTTP to port 80 and for the https rule just the 443.

1. So the question is: why can't I escape https??

2. Some more inside on this. If in HTTP rule I put in paths /*
and in https rule I put  /test1.php?page=login
when I go to http://www.site.com/test1.php or http://www.site.com/test1.php?page=login it redirects me to https://www.site.com/test1.php?page=login and then I get The page cannot be displayed with
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

and in ISA log I see:

Allowed Connection ISA 1/17/2008 3:21:22 PM
Log type: Web Proxy (Reverse)
Status: 302 Moved Temporarily
Rule: SITE HTTP
Source: External (192.168.1.4)
Destination: (www.site.com 10.0.0.2:80)
Request: GET http://www.site.com/test1.php
Filter information: Req ID: 07b87bb2; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; WOW64; SV1)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40000000 (Response should not be cached.)
Processing time: 10 MIME type:

< Message edited by remushociota -- 3.Feb.2008 10:50:38 PM >

(in reply to remushociota)
Post #: 10
RE: bug in system policy? - 29.Jan.2008 9:43:13 AM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
Hi Tom

Forgot about me? :)

(in reply to remushociota)
Post #: 11
RE: bug in system policy? - 8.Feb.2008 1:51:16 AM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
For everyone wondering this can be solved by following this thread: http://forums.isaserver.org/switching_between_http_and_https_does_not_work/m_2002059107/tm.htm

(in reply to remushociota)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> bug in system policy? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts