Recently when am trying to attach any file in Gmail i get a user name and password request from isa server, even if i enter credentials , attachments are not processed completely and gmail hangs, isa monitor showed the following log :
Denied Connection Isa server name 3/17/2009 1:21:06 PMLog type: Web Proxy (Forward) Status: 12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. Rule: Rule name Source: Internal (my computer ip address) Destination: External (isa ip address:8080) Request: POST http://mail.google.com/mail/?ui=2&ik=d4a886cffa&view=up&fcid=fsedjyt4fzov&rt=j&act=fup&oauth=1egnamba3jpl7v54ms0v8pmskkmf57y%7C55acd4af6be3f393&attid=f_fsedjyt40Filter information: Req ID: 0e00d3fd; Compression: client=No, server=No, compress rate=0% decompress rate=0% Protocol: http User: anonymous Additional information Client agent: Shockwave FlashObject source: (No source information is available.)Cache info: 0x4 (Request includes one of these headers: CACHE-CONTROL:NO-CACHE or PRAGMA:NO-CACHE.)Processing time: 1 msMIME type: The rule is allowing everything from internal to external for a group that am a member in, i tried both web client and firewall client but same result....everything else is working fine except uploading attachments in Gmail.
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
It looks like the "add attachment" Shockwave code is not able to provide authentication to ISA, hence the error.
If so, you may need to create an anonymous access rule specifically for the destiantion used by the Shockwave process...
Have a search through the forums looking for Java applications and anonymous authentication as this is a similar problem.
I am guessing that if you configure your web access rule for "all users" (only recommended for testing) the problems will go away - this is a valid test to see if the Shockwave process is trying to use anonymous.
Cheers
JJ
< Message edited by Jason Jones -- 17.Mar.2009 6:43:26 AM >
you guessed it right my friend, when i allowed only all users in my web access rule , attachments uploaded successfully without any error....but how can i sort it out for authenticated users ?
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: stu1st
Hi jason,
you guessed it right my friend, when i allowed only all users in my web access rule , attachments uploaded successfully without any error....but how can i sort it out for authenticated users ?
As steve suggested, you will need to define a new rule which uses the "All users" condiditon and place this above the existing web access rule that require authentication. To differentiate between the rules, you will need to find something unique about the attachment process, maybe a different URL or similar. You can then only allow anonymous users to access this particular URL whereas all other URLs will hit the existing authenticated web access rule - make sense?
When u say a new access rule to all users to (http:\\www.gmail.com) this means everyone will be able to access gmail even unauthenticated ones ? but i don't want that to happen, i mean i don't want whoever comes to have access to gmail.....actually very stupid of isa to squeeze us in such a corner !!!
I've struggled a little bit to repro your problem for the simple fact that it works for me here using IE 7, domain member machines, web proxy clients... I see in ISA's logs, the log for the POST method for the Shockwave Flash client agent containing the needed user infromation. I've noticed you are not using full HTTPS with gmail.
Are you saying that when you attach a file, you see the progress bar, you are prompted for credentials and then the progress freezes or something similar ? I've manage "to experience" this "behaviour" using Chrome or Firefox 3 on the same machine on which IE 7 works(OK, for FF I've install a "different" flash player than for IE, I think Chrome usese "this" flash player too, http://plugindoc.mozdev.org/windows.html), Chrome or FF web proxy clients. I'm prompted for credentials and I see an ISA log similar to yours. Then the progress bar does not advance(actually I see that the browser itself will experience some problems, apparently due to the flash shockwave flash, this is what Chrome says). I did not look closer at all these though. If no auth on ISA, no problems.
Anyway, I assume you may not want to mess with this setting. It worked for me with Chrome or FF too when I configured my machine as only FWC and not FWC+web proxy client. I see you have tried using FWC, but at that time was your machine configured as web proxy client too ? You may try making your machine just firewall client, and not web proxy client too, if you want to keep auth on ISA, maybe it will for for you too so. What browser do you use ?
You mentioned the exact problem i face, i use Firefox browser, i used FW client without web client and it didnt work too...actually i remember now, some users who use IE ( not sure if ver 7 ) can access gmail attachments very fine....am a domain admin and i have a full access in isa, am still asked about credintials tas soon as that attachment flash bar initializes.....i dont have a clue about the advanced attachment features in gmail though......what do you advice ? shall install a specific ver of flash player ? what else shall i try ?
Sorry for not being too explicit. When I've said just firewall client, I did not refer only to Firefox's proxy settings. Even if you do not set any web proxy in Firefox, you must also not set any proxy in IE. If any proxy was set in Internet Options, Connections tab, LAN settings, you will still experiment the annoying behaviour. So make sure that no settings were configured there too. FWC may configure some settings there. Double-check this please. As said before it worked for me like so, I've tested on XP and Vista machines.
You can find the "Advanced attachment features - See progress bars when attaching files to messages, and attach multiple files at once. Requires flash." setting if you click Settings/General tab, once you've logged to gmail. Scroll down, somewhere at the bottom of the page you will notice some Attachment options. Also somewhere in that area you have the option to use HTTPS after login if you want extra security(the "Always use https" option for Browser Connection).
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: stu1st
Thanks for your response guys,
When u say a new access rule to all users to (http:\\www.gmail.com) this means everyone will be able to access gmail even unauthenticated ones ? but i don't want that to happen, i mean i don't want whoever comes to have access to gmail.....actually very stupid of isa to squeeze us in such a corner !!!
I realised that!
I hoped that the attachement bit has a specific URL you could allow; maybe something like www.gmail.com\attachment\something\soemthing\ e.g. very specific - I guess not
It sounds like Adrian has a bit more time to repro your issue...
I have found two working and acceptable solutions: 1, enable HTTP 1.1 through proxy on client side - or - 2, use gmail on SSL (https://mail.google.com)
< Message edited by Pite -- 18.Mar.2009 5:18:39 PM >
I'm afraid it did not work for me using SSL(which I had by default) unless the proxy settings were set on IE too, not only on FF, no FWC(quite the vice-versa to the "HTTP situation", when the FWC was used with no proxy on FF and IE to get it working). Otherwise the "faulty" HTTPS request was not sent through the proxy, rather was a direct request. And a script stopped working according to FF...
Actually I did not quite repro and investigate, just check this and that, see if it's working or not, and don't bother figure it why... Anyway I use gmail with Thunderbird...
Adrian
< Message edited by adimcev -- 18.Mar.2009 7:12:01 PM >
it worked for me in IE when ticking the enable HTTP 1.1 through proxy OR when using gmail on SSL (https://mail.google.com)....but while using FF it is still asking for credentials ( don't know where to enable HTTP 1.1 through proxy in FF )....
Anyway, since all of my users use IE so i guess i don't have to change anything on ISA itself thanks god lol.....
Guys thanks alot for your support and time, problem solved :)
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: stu1st
dear Adrian, JJ and pite ,
it worked for me in IE when ticking the enable HTTP 1.1 through proxy OR when using gmail on SSL (https://mail.google.com)....but while using FF it is still asking for credentials ( don't know where to enable HTTP 1.1 through proxy in FF )....
Anyway, since all of my users use IE so i guess i don't have to change anything on ISA itself thanks god lol.....
Guys thanks alot for your support and time, problem solved :)
I have same problem and I have cisco firewall , and I am using ISA for caching only ,the ferwall service was disabled. how i can solve this problem . thanks
< Message edited by modather -- 18.May2009 2:36:14 PM >
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> attaching files in Gmail asks for username and password 
attaching files in Gmail asks for username and password - 
Additional information 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread