Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

https web sites

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> https web sites Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
https web sites - 9.Dec.2002 4:03:00 PM   
squee

 

Posts: 34
Joined: 14.Aug.2002
From: Plainfield, Indiana
Status: offline 		For our receiving department, we have setup a destination set that allows them to go to certain shipping sites: (i.e. www.ups.com, www.airborne.com, www.fedex.com). We are using the deny access except for selected destination set of above sites with selected users for all content.

The problem we are running into is when they need to login to a secure site within the requested site. Once they click on the login, they receive a blank page with the error message "This page can not be displayed message".

If the destination set is not used, the users can login fine. With the destination set applied, the above error occurs.
Post #: 1
RE: https web sites - 10.Dec.2002 7:39:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi James,

I tried to reproduce the problem, but I had no problems accessing the allowed sites. Make sure the users are not trying to access disallowed sites. The Web Proxy log will give you the details.

HTH,
Tom

(in reply to squee)
Post #: 2
RE: https web sites - 10.Dec.2002 8:08:00 PM   
squee

 

Posts: 34
Joined: 14.Aug.2002
From: Plainfield, Indiana
Status: offline 		Tom:

Once they get to www.ups.com, they will then click the logon option, which takes them to

https://www.ups.com/servlet/login?returnto=

This is the page that appears blank.

www.ups.com they can get to.

https://www.ups.com/servlet/login?returnto= they can not get to.

Is that any better?

-Jim

(in reply to squee)
Post #: 3
RE: https web sites - 10.Dec.2002 11:29:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Jim,

I've tested the same link, and I get to the page just fine.

Here's the setup:

1. Create a group called "lusers". Create an account called "Joe". Put Joe in the "lusers" group

2. Create a Site and Content Rule Allow rule that allows the "lusers" group access to the Destination Set that contains www.ups.com and the other sites in it.

3. Create a Site and Content Rule that denies the "lusers" group access to all sites and content EXCEPT for the Destination Set included in the Allow rule

Now the user can access any page, including SSL, that is on the www.ups.com server. He cannot access pages not on that server. This testing was done with the Web Proxy client configuration.

HTH,
Tom

(in reply to squee)
Post #: 4
RE: https web sites - 16.Dec.2002 1:28:00 PM   
squee

 

Posts: 34
Joined: 14.Aug.2002
From: Plainfield, Indiana
Status: offline 		Tom:

Thanks for the info. I will test & let you know.

-Jim

(in reply to squee)
Post #: 5
RE: https web sites - 16.Dec.2002 2:57:00 PM   
Biagio

 

Posts: 7
Joined: 12.Dec.2002
From: Italy
Status: offline 		Hi Tom,
I have tha same problem of Jim...I've test your solutions....but now if the destinations set deny is used it's impossible to navigate...if I disable the deny rule we work but we can't go to https....help me please!

Claudio

(in reply to squee)
Post #: 6
RE: https web sites - 16.Dec.2002 3:58:00 PM   
squee

 

Posts: 34
Joined: 14.Aug.2002
From: Plainfield, Indiana
Status: offline 		Tom:

Followed your steps & I am still getting the blank page. In the destination set I am using, *.ups.com /*.

-Jim

(in reply to squee)
Post #: 7
RE: https web sites - 16.Dec.2002 3:58:00 PM   
squee

 

Posts: 34
Joined: 14.Aug.2002
From: Plainfield, Indiana
Status: offline 		That should be *.ups.com & /* for the directories below.

-Jim

(in reply to squee)
Post #: 8
RE: https web sites - 16.Dec.2002 6:08:00 PM   
ceb

 

Posts: 10
Joined: 9.Dec.2002
From: Brazil
Status: offline 		Tom, Bia ,James, All, [Confused]

I¦m having the same problem too...

I¦m searching (long time) a solution to the problem, but I¦m having no sucess....

I need some help to..

Regards,

CEB, MCSE
cbeuter@yahoo.com

(in reply to squee)
Post #: 9
RE: https web sites - 16.Dec.2002 6:37:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

Did you check out my article I did a couple of days ago on this?

BTW -- the Destination Set should just be www.ups.com. If you want more, use *.ups.com, but no path statement is required at all.

HTH,
Tom

(in reply to squee)
Post #: 10
RE: https web sites - 16.Dec.2002 8:19:00 PM   
ceb

 

Posts: 10
Joined: 9.Dec.2002
From: Brazil
Status: offline 		Hey People,

Good news...

You will not believe...

The solution is very, very complexing:

(LEAVE THE PATH FIELD, ON DESTINATION SETS COMPLETLY EMPTY, WITH NO WILCARD OR /*)

Can you beleieve this ?????

Try and tell me if works...

Regardas... :-)

CEB, MCSE
cbeuter@yahoo.com

(in reply to squee)
Post #: 11
RE: https web sites - 16.Dec.2002 8:35:00 PM   
squee

 

Posts: 34
Joined: 14.Aug.2002
From: Plainfield, Indiana
Status: offline 		Tom:

Read the article. It was very nicely written. I followed all of the steps, but I am still getting the blank page to the login page. Here is the output from the log.

Field1 Field2 Field3 Field4 Field5 Field6 Field7 Field8 Field9 Field10 Field11 Field12 Field13 Field14 Field15 Field16 Field17 Field18 Field19 Field20 Field21 Field22 Field23 Field24 Field25
10.39.253.42 GALYANS\s03ups Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) Y 12/16/2002 2:12:40 PM w3proxy GALYANS-ISA - www.ups.com - 80 0 345 153 http TCP GET http://www.ups.com/images/homepage/global_corp_set_04.gif image/gif NotModified 0 0x2 Certain Protocols Allow Sites (1)
10.39.253.42 GALYANS\s03ups Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) Y 12/16/2002 2:12:39 PM w3proxy GALYANS-ISA - www.ups.com - 80 0 346 153 http TCP GET http://www.ups.com/images/nav/global/nav1_custserv_off.gif image/gif NotModified 0 0x2 Certain Protocols Allow Sites (1)
10.39.253.42 GALYANS\s03ups Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) Y 12/16/2002 2:12:39 PM w3proxy GALYANS-ISA - www.ups.com - 80 0 345 153 http TCP GET http://www.ups.com/images/nav/global/nav1_e-business2.gif image/gif NotModified 0 0x2 Certain Protocols Allow Sites (1)

-Jim

(in reply to squee)
Post #: 12
RE: https web sites - 16.Dec.2002 9:01:00 PM   
squee

 

Posts: 34
Joined: 14.Aug.2002
From: Plainfield, Indiana
Status: offline 		CEB!

You are the MAN! That works. So Tom, why did this change make it work?

-Jim

(in reply to squee)
Post #: 13
RE: https web sites - 16.Dec.2002 9:11:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hey guys,

you should read again Tom's article http://www.isaserver.org/articles/sitecontentssl.html [Razz]

quote:
These log entries tell me that bob was connecting from a Web Proxy client at IP address 10.0.0.3 and that he attempted to connect to www.ups.com:443 via an SSL-tunnel connection. Note that the ISA Server does not log what objects were accessed at the SSL site. The reason for this is that these objects are hidden inside the SSL tunnel at the point where the logging is takes place. This is also the reason why you canĘt limit the type of object a user can access in an SSL site. If you try to limit the types of objects the user can access at an SSL site, the ISA Server will deny access to all objects, because it canĘt determine what objects the user is accessing. This is a common cause for denials at sites where user otherwise has access.
HTH,
Stefaan

(in reply to squee)
Post #: 14
RE: https web sites - 16.Dec.2002 9:39:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

As Stefaan said, read the article! But I do need to make it more clear that because the SSL connection is encrypted, that the ISA Server cannot evaluate the path, so unless the client has access to the ENTIRE server, the request will be denied.

Good to hear you got it working!

Tom

[ December 16, 2002, 09:42 PM: Message edited by: tshinder ]

(in reply to squee)
Post #: 15
RE: https web sites - 16.Dec.2002 9:43:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by James E. Rudolph:
Tom:

Read the article. It was very nicely written. I followed all of the steps, but I am still getting the blank page to the login page. Here is the output from the log.

Field1 Field2 Field3 Field4 Field5 Field6 Field7 Field8 Field9 Field10 Field11 Field12 Field13 Field14 Field15 Field16 Field17 Field18 Field19 Field20 Field21 Field22 Field23 Field24 Field25
10.39.253.42 GALYANS\s03ups Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) Y 12/16/2002 2:12:40 PM w3proxy GALYANS-ISA - www.ups.com - 80 0 345 153 http TCP GET http://www.ups.com/images/homepage/global_corp_set_04.gif image/gif NotModified 0 0x2 Certain Protocols Allow Sites (1)
10.39.253.42 GALYANS\s03ups Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) Y 12/16/2002 2:12:39 PM w3proxy GALYANS-ISA - www.ups.com - 80 0 346 153 http TCP GET http://www.ups.com/images/nav/global/nav1_custserv_off.gif image/gif NotModified 0 0x2 Certain Protocols Allow Sites (1)
10.39.253.42 GALYANS\s03ups Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461) Y 12/16/2002 2:12:39 PM w3proxy GALYANS-ISA - www.ups.com - 80 0 345 153 http TCP GET http://www.ups.com/images/nav/global/nav1_e-business2.gif image/gif NotModified 0 0x2 Certain Protocols Allow Sites (1)

-Jim
Hi Jim,

None of these log entries indicate a failed HTTPS connection. Am I missing something?

Thanks!
Tom

(in reply to squee)
Post #: 16
RE: https web sites - 17.Dec.2002 9:57:00 AM   
Biagio

 

Posts: 7
Joined: 12.Dec.2002
From: Italy
Status: offline 		Hey guys,
thank you very much!
Now the SSL destinations works!

But if I configure the denies rule....doesn't work! :-(

Any idea?
Bia

(in reply to squee)
Post #: 17
RE: https web sites - 17.Dec.2002 1:01:00 PM   
ceb

 

Posts: 10
Joined: 9.Dec.2002
From: Brazil
Status: offline 		Bia,

You must change your rule :

allow - not deny;
.....
selected destination set - not all destimations except..
......

Understood ???

Regards,

CEB, MCSE
cbeuter@yahoo.com

(in reply to squee)
Post #: 18
RE: https web sites - 17.Dec.2002 2:25:00 PM   
Biagio

 

Posts: 7
Joined: 12.Dec.2002
From: Italy
Status: offline 		Ceb, [Confused]

I have two site and content rules:

1) Allow...with...select destination set
2) Deny...with...All destinations except selected set

doesn't work!

Tks!

(in reply to squee)
Post #: 19
RE: https web sites - 17.Dec.2002 5:07:00 PM   
ceb

 

Posts: 10
Joined: 9.Dec.2002
From: Brazil
Status: offline 		Bia,

Try with just rule 1 enabled.(not both)

Must work.

CEB, MCSE
cbeuter@yahoo.com

(in reply to squee)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> https web sites Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts