Celestix / ISA 2006 and eBay.co.uk (Full Version)

All Forums >> [ISA 2006 Firewall] >> HTTP Filtering



Message


st1967 -> Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 5:05:37 AM)

Looking everywhere to this particular problem we have and absolutely no joy.

We have been a happy Celestix Application Server user for almost 3 years (msa2000i) which runs as a proxy with Websense.  We have been using it behind a 6 year old Cisco PIX firewall and we have recently upgraded and moved our WAN and it now runs behind a WATCHGUARD firewall solution.

Our problem is that we cannot sign into ebay.co.uk?  It's not websense because it's a "page cannot be displayed" error and I'm a power user anyway.  You get the main "http://www.ebay.co.uk" page, you even get the "http://my.ebay.co.uk" page where you logon to your account.   The fun and games starts when you enter your logon details and it then tries to logon to "https://signin.ebay.co.uk", this always returns a "page cannot be displayed".

We know it is something on the proxy because all our central fileservers have open access via the firewall and they can logon perfectly.

Our Watchguard support think it is something to do with the SSL cert belonging to ebay.com and it's trying to logon to ebay.co.uk?  But that might just be clutching at straws ?

Anybody else out there seen this or have any idea what I can do.   At the moment I'm contemplating working out all the IPs/subnets to bypass the proxy but I think that is defeating the object somewhat.   We use ebay quite heavily to sell truck parts.

Many Thanks.




richardhicks -> RE: Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 11:59:29 AM)

It is more likely that the HTTP filter is objecting to something.  I'm able to reach the site behind my ISA 2006 firewall, however.  Do you see in the logs when you try to connect to the site?




st1967 -> RE: Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 12:12:45 PM)

quote:

ORIGINAL: richardhicks

It is more likely that the HTTP filter is objecting to something.  I'm able to reach the site behind my ISA 2006 firewall, however.  Do you see in the logs when you try to connect to the site?


Thanks for the reply.

I am getting Failed Connection Attempt,  SSL-Tunnel Protocol, Port 443, Source Network External, Destination Network External,




Jason Jones -> RE: Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 12:23:12 PM)

Is the Watchguard trying to do something "clever" to HTTP traffic coming from ISA?

I have used ebay in many ISA environments, so it has go to be something environmental or specific about your config...

Cheers

JJ




richardhicks -> RE: Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 12:26:36 PM)

I think you've found your problem.  The source network is 'external'?  Same as the destination? 




st1967 -> RE: Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 12:28:50 PM)

quote:

ORIGINAL: Jason Jones

Is the Watchguard trying to do something "clever" to HTTP traffic coming from ISA?



Thanks both, I don't think the Watchguard is doing anything clever, it just passes http/https through that is all?

However the SSL error has moved me in a new direction and I found this in another post on an old thread

"SSL errors almost always relate to going out 1 way , and coming back another way, hence not completing the handshake. In normal words : you probably have a different default gateway than your proxy server."

Now this is the case because we were originally having the celestix in a DMZ so it has a 10.0.0.x address and gateway, the rest of our network is on 192.168.x.x !!

I will pass this onto my support team and see what they think of it?




st1967 -> RE: Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 12:36:20 PM)

quote:

ORIGINAL: richardhicks

I think you've found your problem.  The source network is 'external'?  Same as the destination? 


Oh dear, just removed what I though was causing this on the default web rule and I've stopped it working.  I removed All Networks (and local host) from the From/Listener section of my web access only rule.




st1967 -> RE: Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 12:40:56 PM)

quote:

ORIGINAL: richardhicks

I think you've found your problem.  The source network is 'external'?  Same as the destination? 


Where would it be picking up this Source as "external" then?  Or is the Different Gateways more of the cause?  Something to ponder, had enough for a Friday afternoon now.




richardhicks -> RE: Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 12:43:39 PM)

I would look very closely at your routing configuration.  Something is very strange here, that's for sure. [:)]




st1967 -> RE: Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 12:46:04 PM)

quote:

ORIGINAL: richardhicks

I would look very closely at your routing configuration.  Something is very strange here, that's for sure. [:)]


Thanks, I will do, it can wait till Monday morning though




pfearns23 -> RE: Celestix / ISA 2006 and eBay.co.uk (6.Nov.2009 1:09:58 PM)

Hi,

Are you still having problems ?

Can you PM me your phone number and I can call you and run through some things !

Cheers




st1967 -> RE: Celestix / ISA 2006 and eBay.co.uk (12.Nov.2009 11:22:54 AM)

quote:

ORIGINAL: pfearns23

Hi,

Are you still having problems ?

Can you PM me your phone number and I can call you and run through some things !

Cheers


Just to close this off for anybody interested.  Spoke to Paul at Celestix UK and he kindly connected onto my box to have a look.

It turned out to be a websense issue, in that Websense did not know it was also a proxy server so it was doing strange things with the HTTPS traffic.

Paul took time over several days to give me hand, but it wasn't until he looked remotely that he spotted it right away.  I can't praise Paul and Celestix enough, even though my server is a few years old now and out of support he was quite happy to do what he could to fix it.

Many Many Thanks to Paul and Celestix, I've a happy group of users around the UK now.




paulo.oliveira -> RE: Celestix / ISA 2006 and eBay.co.uk (13.Nov.2009 7:45:05 AM)

Thanks for sharing with the community!! [;)]

Regards,
Paulo Oliveira.




Page: [1]