• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

After kb958644 update to ISA server https pages problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> General >> After kb958644 update to ISA server https pages problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
After kb958644 update to ISA server https pages problem - 29.Oct.2008 4:28:23 AM   
jukka

 

Posts: 4
Joined: 29.Oct.2008
Status: offline
Hello
I have really bad situation with ISA 2006 Enterprise (SP1) right now. After applying to ISA servers MS critical update kb958644 and rebooted after that patch all restricted user have no access to HTTPS pages (http pages are working fine). Those https pages was also working last Friday and after the weekend patch it does not work any more.

I have three arrays at the ISA Enterprise (one in Central Europe, one in Nordic Europe and one in US). I have applied the patch to Central Europe and US and also rebooted and those sites the problem exists. At Nordic Europe patch is installed but the server is not rebooted and via that HTTPS pages are working for restricted users.

There is of course Rule for restricted user at Enterprise policy.

User who has "Free" access to Internet via ISA are working perfectly (own Rule). 

Is anyone else having this problem? Plese help if You have any clue what to do. I tested Rollback for the patch but it didn't help.

I would really appreciate if someone could help with this case.
Regards, JL
Post #: 1
RE: After kb958644 update to ISA server https pages pr... - 29.Oct.2008 7:57:23 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
What do the firewall's log files say about these connections?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jukka)
Post #: 2
RE: After kb958644 update to ISA server https pages pr... - 29.Oct.2008 9:03:32 AM   
jukka

 

Posts: 4
Joined: 29.Oct.2008
Status: offline
Hello
Thank You for response.

Logs say: "12202 The ISA Server denied the specified Uniform Resource Locator (URL). ". There is defenately an access rule for those https pages. And same pages are workin via Nordic ISA server (not booted after patch) with same account as access is denied at US and Central Europe ISA. These were working also via US and Central Europe ISA before weekend.

It simply seem not to see HTTPS list from Rule (it matches for default rule: deny all), http pages are workin perfectly even with restricted users.

I even tested to make new rule above with https pages list and allowed all users to access and the result is the same.

Regards, JL

(in reply to tshinder)
Post #: 3
RE: After kb958644 update to ISA server https pages pr... - 30.Oct.2008 4:52:41 AM   
jukka

 

Posts: 4
Joined: 29.Oct.2008
Status: offline
Hello

I finally found a solution for this and now the https pages are working via US and Central European Proxy also.
After the weekends patch there have been change at some Windows 2003 settings. At ISA, restricted user cannot use HTTPS pages if those are made with Computer sets group. I was able to pass that problem by doing it with Domain Name Sets (I made a Domain Name Set group and added all wanted https pages to there). After that all seems to work perfectly. I just tested many different kind of changes and finally got lucky.  Even when this is now working with other solution, I'm still making a case and waiting an answer from MS what could cause this problem and why it was necessary to change setting at ISA. This was working before weekend. Regards,JL

(in reply to jukka)
Post #: 4
RE: After kb958644 update to ISA server https pages pr... - 30.Oct.2008 1:24:03 PM   
gunjan151

 

Posts: 39
Joined: 24.Apr.2008
Status: offline
JL,

Even i had a problem after the path was applied on my ISA servers also , after the path was applied ISa server started Caching even the Dynamic data like JSP files and it caused a security issue with our applications where one user was able to see data for other users.

After going through your posting here i created a Caching rule by creating a new Domain Name Set group and added the URL's in that group and after that i saw a change in the Caching behaviour.

I have not heard anything from Microsft yet on this issue but i am sure that the patch "kb958644" caused this issue.

(in reply to jukka)
Post #: 5
RE: After kb958644 update to ISA server https pages pr... - 31.Oct.2008 2:57:17 AM   
jukka

 

Posts: 4
Joined: 29.Oct.2008
Status: offline
Hi

Thank You for Your message. Your problem is giving us a bit more evidence the cause is really the latest patch.

I had a case to MS for this, but they did close it because on their mind there was an another way to fix it (the resolution I found myself!!). They are not doing any more investigation, cause our contract to MS is a "5 pack contract". If we want MS to do "root cause analysis" for this case, we should have open Premier case to MS. This one would cost to our company, so I didn't open it.

For my opinion MS is a bit irresponsible for these kind of issues. They have made a patch of which causes these problems and they don't do anything to fix it even if there is a need to change worging enviroment because of the patch. Of course with money they would do something, but I think this is not a "good" way to solve issues.

JL


(in reply to gunjan151)
Post #: 6
RE: After kb958644 update to ISA server https pages pr... - 31.Oct.2008 5:37:21 AM   
xhoz

 

Posts: 1
Joined: 31.Oct.2008
Status: offline
We have the same problem in our company !!
It seems that we are not able to access banking websites (especially sites that are using Java Server Pages (JSP). I'm not sure how to solve this..

Can anyone post his solution in here ?

Thx in advance!

< Message edited by xhoz -- 1.Nov.2008 2:28:01 PM >

(in reply to jukka)
Post #: 7
RE: After kb958644 update to ISA server https pages pr... - 4.Nov.2008 2:38:05 AM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
You guys say that this patch has caused problems with your ISA policy behavior, but I don't see where anyone has removed the patch to prove this theory?
The patch affects the Windows Server service, which is not used by ISA at all, so this patch being causaive is a very slim chance.
What is in the logs for those requests?

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to xhoz)
Post #: 8
RE: After kb958644 update to ISA server https pages pr... - 4.Nov.2008 7:19:59 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jim,

Thanks for jumping in on this. I was going to ping you about this thread because I can't make much sense of it either, and since they've contacted PSS about this problems, I thought you might want to see what's going on.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Jim Harrison)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> General >> After kb958644 update to ISA server https pages problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts