EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Indy + SSL via Microsoft ISA firewall

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#2777
Posted: 04/24/2007 06:14:56
by Andrew Fiddian-Green (Standard support level)
Joined: 01/08/2007
Posts: 14

My application is using TIdHTTP (Indy v10) together with your ElIndySSLIOHandlerSocket. On all of my own test networks it works fine, but one of my customers has a Microsoft ISA 2004 Firewall and is having problems to connect through it. The customer is in another continent so it is very difficult for me to debug this problem, so any tips would be appreciated. (My application is doing HTTPS POST to upload some XML information to an e-Commerce server).

Reagrds,
AndrewFG
#2779
Posted: 04/24/2007 07:13:02
by Eugene Mayevski (EldoS Corp.)

ISA server uses NTLM authentication. HTTP Authentication is not our business but Indy's. I think that you need to use HTTP CONNECT proxy type with proxy authentication via HTTP. In any case, you should contact Indy support for explanations.


Sincerely yours
Eugene Mayevski
#2785
Posted: 04/24/2007 11:44:42
by Andrew Fiddian-Green (Standard support level)
Joined: 01/08/2007
Posts: 14

My customer is NOT using the web proxy server function of ISA server. So the issue is not anything to do with NTLM authorization, nor with the CONNECT method. And so I think it is not a problem with the Indy layer but with the SSL layer...

It seems my customer is using the ISA server in "firewall" mode, and it is configured (so he claims) to allow HTTPS to pass through it; in other words it should allow a client to build an SSL tunnel through the firewall to the server.

However the firewall is blocking the connection, so I wonder if there is something "special" about your SSL handshaking negotiation process which could be different than other applications (e.g. IE) and which might cause ISA to close the connection??

Regards,
AndrewFG
#2786
Posted: 04/24/2007 12:04:07
by Eugene Mayevski (EldoS Corp.)

Try to disable TLS 1.1. Maybe ISA gets confused by this version. Some stupid software like OpenSSL is.


Sincerely yours
Eugene Mayevski
#2788
Posted: 04/24/2007 17:04:43
by Andrew Fiddian-Green (Standard support level)
Joined: 01/08/2007
Posts: 14

I guess you mean something like the following: ??

fSSL := TElClientIndySSLIOHandlerSocket.Create;
fSSL.Versions := [sbSSL2, sbSSL3];

Regards,
AndrewFG
#2789
Posted: 04/25/2007 01:18:39
by Eugene Mayevski (EldoS Corp.)

fSSL.Versions := [sbSSL2, sbSSL3, sbTLS1];


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 2370 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!