ISA Server 2004 Plus IE 7.0

Headaches.

That’s what the above combination gave me, but, like many things in life, it was a good learning experience, and shows that sometimes one tends to overlook obvious items when dealing with seemingly overly complex configurations.

One is always ready to implement the highest levels of security, but often this results in multiple layers of security eventually obsfucating each other in such a manner that it becomes impossible to figure out where exactly everything went from pristine to a steaming flowerbed of horse faeces.

For a simple start, if you are running an ISA server, and you’re explicitly allowing specified users access to specified websites, ensure that the phishing filter is disabled in IE7.0 and above. Either that, or give explicit access to urs.micorsoft.com:443. That’s where every single page request is going to go, and your ISA box is going to give your user a delightful middle finger, and little explanation as to why.

Needless to say, the issue is resolved, the user can access the website, but, because of a lot of issues that I do not yet understand, they can also access any other secure website. It’s the caveat that I have had to accept in order to allow them explicit access to the aforementioned website. For some reason our ISA box is not allowing https traffic through unless it is allowed to allow _all_ https traffic through.

Excluding everything but the website in question, even is allowing for wildcards, simply results in the rule being utterly ignored. Left out like a red headed optelkind. I still haven’t figured out why, but the other issue is probably the reason.

After speaking to Sir Twistie (aka PaCiFiEr) he revealed that his ISA box runs 2 rules – Deny everyone from everything, and allow only what he wants. My box is running 23 rules. A slight difference there it would seem. Probably also the cause of my four hour rant and rave against the ISA box. And to think that this morning I offered a domain controller to the IT gods. Perchance it is because they forsee a linux installation on that old Windows box, perhaps it is the doing of the Dell VM Server after the dissing I gave to the head of IT about Dell and their crap lead times. Who knows.

Regardless, the solution given is less than ideal – allow the user access to the external network, limit them to https traffic only, and then limit the rule to two specific usernames, and a specific machine. Hopefully it’ll hold until I can remove every stinking rule on that ISA and recon the entire thing – probably around the same time that I find the time to write that legacy novel and discover cures for cancer, HIV and figure out how to turn plastic into fertilizer.

Anyway, the day is done, the user can access their website, and I still have a proposal to write for a new process in Johannesburg. It’s been a hell of day, and I think that it isn’t going to get any better any time soon.

J out.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s