Proxy By-Pass rules + ISA + Juniper Network Connect = headache

  • Thread starter Thread starter Jay
  • Start date Start date

Jay

Jay

Jay

Associate
Joined
18 Oct 2002
Posts
1,650
Location
North West
Hi Guys, I have a problem and wonder if you can shed some light.

We are using a program called Juniper Network Connect (creates an SSL tunnel back to a server for secure connections)

However as we run a proxy server, the session needs to go through the proxy first.

I have added a by-pass rule for *.abc.com/* , which works fine in IE6. (and enables the program to run fine)

However, if the PC has IE7 or IE8 installed, it will not allow *.abc.com/*

It will allow *.abc.com , however the connection fails (it NEEDS the /*)

Does anyone know why this wont work in IE7 & IE8? Is there another way for inputing the wildcard?

Regards
 
We run ISA 2006 as the proxy, behind a Cisco PIX (hardware). With the proxy disabled, the SSL connection works fine (so i know it isnt a problem with the Cisco PIX)

I have also tried manually creating a new rule in ISA 2006 to allow ALL trafic inbound/outbound from a test machine, and it still fails to connect. (I think ISA has a problem initiating and holding SSL links on ports other that 443?)

If PC has IE6, and bypass rule as *.abc.com/* it works flawlessly. However the following it will not work. (wont work connection wise, they are allowed in the by-pass list)

https://*.abc.com
*.abc.com*
*.abc.com

If pc has IE7 or IE8, it will not hold the /* part. If i add the /* to group policy, when going into the proxy settings on the pc running ie7/ie8, the proxy shows up as corrupt ([]proxy01.x.com:8080[]) with all the by-pass rules missing. Very strange.

Its weired why IE7/IE8 wont understand the /* :S
 
Last edited:
Jay said:
We run ISA 2006 as the proxy, behind a Cisco PIX (hardware). With the proxy disabled, the SSL connection works fine (so i know it isnt a problem with the Cisco PIX)

I have also tried manually creating a new rule in ISA 2006 to allow ALL trafic inbound/outbound from a test machine, and it still fails to connect. (I think ISA has a problem initiating and holding SSL links on ports other that 443?)

If PC has IE6, and bypass rule as *.abc.com/* it works flawlessly. However the following it will not work. (wont work connection wise, they are allowed in the by-pass list)

https://*.abc.com
*.abc.com*
*.abc.com

If pc has IE7 or IE8, it will not hold the /* part. If i add the /* to group policy, when going into the proxy settings on the pc running ie7/ie8, the proxy shows up as corrupt ([]proxy01.x.com:8080[]) with all the by-pass rules missing. Very strange.

Its weired why IE7/IE8 wont understand the /* :S
Click to expand...

ISA doesn't allow non tcp 443 SSL connections by default. You need to alter it somewhat first.

http://www.isaserver.org/articles/2004tunnelportrange.html

that's for isa 2004 but its similar for 2007 IIRC, not sure about TMG or whatever 2010 version is called.
 
What you can try, is setup a web chaining rule so abc.com/* is retrieved directly from the internet rather than via the proxy server.

Kimbie
 
You must log in or register to reply here.
Back
Top Bottom