• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

switching between http and https does not work

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> switching between http and https does not work Page: [1]
Login
Message << Older Topic   Newer Topic >>
switching between http and https does not work - 17.Dec.2007 8:21:21 AM   
steemje

 

Posts: 2
Joined: 30.Aug.2002
From: Netherlands
Status: offline
I have a webserver IIS 6.0 (.net 2.0) behind a ISA 2006 server(standard edition). The web application has the ability to redirect (rewrite headers) from http to https and visa versa, bepending which URL's are requested by the client, or by the hyperlinks (relative) in the html rendered pages. Basically as soon as "sesitive" data is detected, it swiches the client to https, and back to http on "normal" pages, so it is not just for login purposes. Setting the complete site up to run in https is also not a good option at this stage.

If I hardcode the links to https, it all works fine, from http to https and from https to http. Using the https module, causes havoc and it seems to set up a loop on the proxy, so much so that the requests are so many, it locks me out (floading). Or all requests get denied, or seems to go to silicon heaven.

My problem is that the link switching urls are dynamic and not static. I have tried almost every conceivable combination of the web publishing wizard, but to no avail.

Weird is, it works very well with ISA 2000 (sorry I skipped 2004, but it's time to upgrade and ....ooops)

Can I use the "web publishing/proxy wizard" with the added security filters to do what I need, or do I need to punch it through to the web site itself. The second option sort of defeats the reason to have ISA 2006 installed at all (for web publisging) as it will leave the scanning and protection up to the web server to deal with. This does not seem right. 

Any advise would be most appreciated.
Thanks in advance

Jay

< Message edited by steemje -- 17.Dec.2007 8:22:51 AM >
Post #: 1
RE: switching between http and https does not work - 10.Jan.2008 2:45:40 PM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
Hi

Did you find any solution to this? I have a similar problem. Once I direct them to HTTPS there is no way to send them back to HTTP.

(in reply to steemje)
Post #: 2
RE: switching between http and https does not work - 24.Jan.2008 4:48:31 PM   
steemje

 

Posts: 2
Joined: 30.Aug.2002
From: Netherlands
Status: offline
Hallo,

The answer is yes and no. The "no" part seems that ISA just cannot understand what is happening. ISAserver.org has indicated there may be some articles on HTTPS site publishing, but for some time all I see is publishing articles that explicitly stipulate they are for  "NON-SSL" web publishing situations. So I smell a rat...

The yes part...

Forget all the fantastic deep probing and filtering that the HTTP reverse proxy offers, it cannot help you here . Just publish the web server with dynamic SSL switching as a "non-web publishing rule" on port 80. Deal with all the potential hazards yourself  at the web server side (and wonder why ISA is there in the first place (okay...pushing it I know ;) ) and it will work.

To date this is the only frustrating solution I have found. To solve the "having to deal with all the hazards at the web server" problem, I just put our old ISA 2000 server infront of it. Seems weird, but works well.

Commets and ideas are still most welcome, I am still looking for a solution and a reason why ISA 2007 cannot do as we need.

Thanks for the feedback, let me know if you find something.

Jay


(in reply to remushociota)
Post #: 3
RE: switching between http and https does not work - 25.Jan.2008 9:40:40 AM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
I'm not sure I understand the problem you're talking about... you can publish http, and also https.  If you want to redirect some URLs you can do that with deny rules. 

If you need to have some "unknown" suffix on the URLs, then (if my memory is correct) you can do that using WebDirect.  The ISA built-in redirection can only send you to an exactly specified URL.

(in reply to steemje)
Post #: 4
RE: switching between http and https does not work - 2.Feb.2008 7:11:05 PM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
Hi Jay.

I got it working for one website. Read this post: http://forums.isaserver.org/bug_in_system_policy%3f/m_2002060193/tm.htm
Ignore the first part about that question on system policy and follow the rest between me and Tom.
However for the website with Prado up to this date I couldn't make it work using the same file index.php and a variable after it.
But read through it and tell me if it helps you in any way. For a normal site I can give you some suggestions now.

Remus

(in reply to steemje)
Post #: 5
RE: switching between http and https does not work - 6.Feb.2008 10:28:11 AM   
paul_psmith

 

Posts: 78
Joined: 2.Nov.2006
Status: offline
Same problem here with 2006. I don;t have any old 2000 ISA servers around so I have to use the web publishing rules.

Maybe if enough people compalin about this we can get MS to patch it.

thanks

PS

(in reply to steemje)
Post #: 6
RE: switching between http and https does not work - 6.Feb.2008 1:21:28 PM   
paul_psmith

 

Posts: 78
Joined: 2.Nov.2006
Status: offline
I tried the link you gave and it works, sort of.

My problem is that the site constantly shifts between SSL and not. Also the links that are provided to on the page to navigate are releative links and will take the current base URL as a starting point.

So lets say you go to the main page. Its not SSL.
You click on the logon page link which shows http://...
this redirects to https://...
You logon and the links on the page now turn to https://...
You click on the main page link which should redirect from the web server to http://... bit ISA gets into a 302 loop and eventually locks out the src IP from too many http requests.
I can't put in the paths for every single page.
My Citrix NetScalar does this fine, but it has other problems trying to serve this site.
PS

(in reply to remushociota)
Post #: 7
RE: switching between http and https does not work - 6.Feb.2008 5:20:02 PM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
Hi paul_psmith I feel your pain :)

First also look at this thread http://forums.isaserver.org/Status%3a_302_Moved_Temporarily/m_2002060023/tm.htm it deals exactly with this 302 Moved Temporarily Problem.

In there ferrix provided me with a third party DLL they developed. You could try it as well. For me however it doesn't work because if I use that plugin to redirect to https and back my session variable gets lost for some reason. Anyway here it is:
Here is the documentation,
http://www.collectivesoftware.com/Support/PageGuard.pdf

And the filter installer.
http://www.collectivesoftware.com/Downloads/PageGuard.msi


Second. The ONLY way (and trust me I am stuck on this issue for 2-3 weeks now...) I managed to make it work is like I wrote in all my posts. You create one http rule and one https rule and in the HTTPS rule in paths you need to specify the files for https you want to publish. In the http rule you can put /* it works.
But if you put in https also /* ISA is going into that 302 loop problem.

Also more on the ironic side of things... Let's say the initial page you publish on HTTPS also includes other pages. I "speak" PHP here so inside a .php file you can include another file like "include inc_connect.php" for example. So you must also publish (read this Include them in the PATHS under the HTTPS rule) them.
Say you have an /admin section. So www.site.com/admin The default document would be index.php so you need to publish the HTTPS as /index.php and all the other documents it reffers to. If inside it you have an include /test/aaa.php you would have to put under paths also /test/aaa.php
And here is the funny part. The references you can publish them with /* meaning if I would have more pages that I need to include in that /test folder I don't need to specify them all I can simply put /test/* in the HTTPS rule in paths.
But in the folder where the redirection takes place you can not do that as ISA breaks. This are my findings for now :)

I am surprised so few people complain in here about this... maybe it's just us that have complex websites to publish or I don't know...

remus

(in reply to paul_psmith)
Post #: 8
RE: switching between http and https does not work - 7.Feb.2008 11:35:19 PM   
paul_psmith

 

Posts: 78
Joined: 2.Nov.2006
Status: offline
SCOOOORRRRREEEE!!! I found it!!

Forum post on the asp.net site and the MS site pointed me in the right direction!

You need to add link translations for both http and https but point them to thmeselves.

http://yoursite.com  links to http://yoursite.com
and
https://yoursite.com links to https:/yoursite.com

I found a MS KB article about adding in the https link translation, but they did not mention the http one. The poster on the asp.net site suggested maybe you needed an http one too. So I put them both in there and presto it works.

Here is the article on the MS site that tells you how to do the https one, but like I said you also need to add an http one:

http://support.microsoft.com/kb/924373


(in reply to remushociota)
Post #: 9
RE: switching between http and https does not work - 8.Feb.2008 1:47:58 AM   
remushociota

 

Posts: 64
Joined: 12.Apr.2004
Status: offline
paul_psmith first let me put on my hat, just so I can take it off in front of you now :) YOU ARE THE MAN!
I added those 2 link translations and all my sites work now. Indeed adding JUST the https one does not solve the problem so you need both the http and the https.
Man not in a million years would I have thought of this...
I do hope this will help many people as situations like this with redirects I do belive are very common! This should be added as a sticky or something :)

thanks!

(in reply to paul_psmith)
Post #: 10
RE: switching between http and https does not work - 8.Feb.2008 1:02:14 PM   
stweedle@mmspd.com

 

Posts: 3
Joined: 28.Jan.2008
Status: offline
Amazing! Thank you so much paul_psmith! Solved my issue as well.

For convenience I thought all the instructions in one post would be nice.

----
quote:


Add explicit mappings to the link translation dictionary. These explicit mappings will avoid an endless loop that is created when ISA server translates SSL requests to HTTP requests and redirects them to the Web server.

For example, add an explicit "do nothing" string mapping such as https://www.contoso.com to https://www.contoso.com. The unwanted translation that causes the endless loop is overridden by this "do nothing" mapping. To do this, follow these steps:

1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. Expand Microsoft Internet Security and Acceleration Server 2006, expand Server Name, and then click Firewall Policy.
3. In the details pane, click the applicable Web publishing rule.
4. On the Tasks tab, click Edit Selected Rule.
5. On the Link Translation tab, click Configure, and then click Add.
6. In the Replace this text box, type the explicit string that you want to add to the link translation dictionary. For example, type https://www.contoso.com
7. In the With this text box, type the same string that you added in step 6. For example, type https://www.contoso.com again.

Note When you type the same string in the Replace this text box and the With this text box, the ISA server does not translate SSL requests to HTTP requests for that string entry.
8. Repeat steps 6 and 7 using the same domain string, using the non-secure HTTP protocol. For example, type http://www.contoso.com
9. Click OK two times.
10. Click Apply, and then click OK.


(in reply to remushociota)
Post #: 11
RE: switching between http and https does not work - 28.Oct.2010 12:55:26 PM   
rralston

 

Posts: 18
Joined: 22.Jul.2002
From: Boston, MA
Status: offline
I just encountered this exact problem, and this solved it. Even though this thread is two years old, I wanted to thank those that helped resolve this.

Rob

_____________________________

Rob Ralston
SilverBullet Technologies LLC
www.silverbullettech.com

(in reply to stweedle@mmspd.com)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Web Publishing >> switching between http and https does not work Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts