I have a webserver IIS 6.0 (.net 2.0) behind a ISA 2006 server(standard edition). The web application has the ability to redirect (rewrite headers) from http to https and visa versa, bepending which URL's are requested by the client, or by the hyperlinks (relative) in the html rendered pages. Basically as soon as "sesitive" data is detected, it swiches the client to https, and back to http on "normal" pages, so it is not just for login purposes. Setting the complete site up to run in https is also not a good option at this stage.
If I hardcode the links to https, it all works fine, from http to https and from https to http. Using the https module, causes havoc and it seems to set up a loop on the proxy, so much so that the requests are so many, it locks me out (floading). Or all requests get denied, or seems to go to silicon heaven.
My problem is that the link switching urls are dynamic and not static. I have tried almost every conceivable combination of the web publishing wizard, but to no avail.
Weird is, it works very well with ISA 2000 (sorry I skipped 2004, but it's time to upgrade and ....ooops)
Can I use the "web publishing/proxy wizard" with the added security filters to do what I need, or do I need to punch it through to the web site itself. The second option sort of defeats the reason to have ISA 2006 installed at all (for web publisging) as it will leave the scanning and protection up to the web server to deal with. This does not seem right.
Any advise would be most appreciated. Thanks in advance
< Message edited by steemje -- 17.Dec.2007 8:22:51 AM >
The answer is yes and no. The "no" part seems that ISA just cannot understand what is happening. ISAserver.org has indicated there may be some articles on HTTPS site publishing, but for some time all I see is publishing articles that explicitly stipulate they are for "NON-SSL" web publishing situations. So I smell a rat...
The yes part...
Forget all the fantastic deep probing and filtering that the HTTP reverse proxy offers, it cannot help you here . Just publish the web server with dynamic SSL switching as a "non-web publishing rule" on port 80. Deal with all the potential hazards yourself at the web server side (and wonder why ISA is there in the first place (okay...pushing it I know ;) ) and it will work.
To date this is the only frustrating solution I have found. To solve the "having to deal with all the hazards at the web server" problem, I just put our old ISA 2000 server infront of it. Seems weird, but works well.
Commets and ideas are still most welcome, I am still looking for a solution and a reason why ISA 2007 cannot do as we need.
Thanks for the feedback, let me know if you find something.
I got it working for one website. Read this post: http://forums.isaserver.org/bug_in_system_policy%3f/m_2002060193/tm.htm Ignore the first part about that question on system policy and follow the rest between me and Tom. However for the website with Prado up to this date I couldn't make it work using the same file index.php and a variable after it. But read through it and tell me if it helps you in any way. For a normal site I can give you some suggestions now.
My problem is that the site constantly shifts between SSL and not. Also the links that are provided to on the page to navigate are releative links and will take the current base URL as a starting point.
So lets say you go to the main page. Its not SSL. You click on the logon page link which shows http://... this redirects to https://... You logon and the links on the page now turn to https://... You click on the main page link which should redirect from the web server to http://... bit ISA gets into a 302 loop and eventually locks out the src IP from too many http requests. I can't put in the paths for every single page. My Citrix NetScalar does this fine, but it has other problems trying to serve this site. PS
In there ferrix provided me with a third party DLL they developed. You could try it as well. For me however it doesn't work because if I use that plugin to redirect to https and back my session variable gets lost for some reason. Anyway here it is: Here is the documentation, http://www.collectivesoftware.com/Support/PageGuard.pdf
Second. The ONLY way (and trust me I am stuck on this issue for 2-3 weeks now...) I managed to make it work is like I wrote in all my posts. You create one http rule and one https rule and in the HTTPS rule in paths you need to specify the files for https you want to publish. In the http rule you can put /* it works. But if you put in https also /* ISA is going into that 302 loop problem.
Also more on the ironic side of things... Let's say the initial page you publish on HTTPS also includes other pages. I "speak" PHP here so inside a .php file you can include another file like "include inc_connect.php" for example. So you must also publish (read this Include them in the PATHS under the HTTPS rule) them. Say you have an /admin section. So www.site.com/admin The default document would be index.php so you need to publish the HTTPS as /index.php and all the other documents it reffers to. If inside it you have an include /test/aaa.php you would have to put under paths also /test/aaa.php And here is the funny part. The references you can publish them with /* meaning if I would have more pages that I need to include in that /test folder I don't need to specify them all I can simply put /test/* in the HTTPS rule in paths. But in the folder where the redirection takes place you can not do that as ISA breaks. This are my findings for now :)
I am surprised so few people complain in here about this... maybe it's just us that have complex websites to publish or I don't know...
I found a MS KB article about adding in the https link translation, but they did not mention the http one. The poster on the asp.net site suggested maybe you needed an http one too. So I put them both in there and presto it works.
Here is the article on the MS site that tells you how to do the https one, but like I said you also need to add an http one:
paul_psmith first let me put on my hat, just so I can take it off in front of you now :) YOU ARE THE MAN! I added those 2 link translations and all my sites work now. Indeed adding JUST the https one does not solve the problem so you need both the http and the https. Man not in a million years would I have thought of this... I do hope this will help many people as situations like this with redirects I do belive are very common! This should be added as a sticky or something :)
Amazing! Thank you so much paul_psmith! Solved my issue as well.
For convenience I thought all the instructions in one post would be nice.
Add explicit mappings to the link translation dictionary. These explicit mappings will avoid an endless loop that is created when ISA server translates SSL requests to HTTP requests and redirects them to the Web server.
For example, add an explicit "do nothing" string mapping such as https://www.contoso.comto https://www.contoso.com. The unwanted translation that causes the endless loop is overridden by this "do nothing" mapping. To do this, follow these steps:
1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management. 2. Expand Microsoft Internet Security and Acceleration Server 2006, expand Server Name, and then click Firewall Policy. 3. In the details pane, click the applicable Web publishing rule. 4. On the Tasks tab, click Edit Selected Rule. 5. On the Link Translation tab, click Configure, and then click Add. 6. In the Replace this text box, type the explicit string that you want to add to the link translation dictionary. For example, type https://www.contoso.com 7. In the With this text box, type the same string that you added in step 6. For example, type https://www.contoso.com again.
Note When you type the same string in the Replace this text box and the With this text box, the ISA server does not translate SSL requests to HTTP requests for that string entry. 8. Repeat steps 6 and 7 using the same domain string, using the non-secure HTTP protocol. For example, type http://www.contoso.com 9. Click OK two times. 10. Click Apply, and then click OK.