Conference gyro::internet_toolss

    This is a supplement to .0 :
    
    Sometimes You need to download ActiveX control from the WEB site You
    are looking for.
    There is only one way to verify such a control:check it against
    a trustworthy authority like VerSign WEB site.
    And You are not able to do this, because You can't run HTTPS
    from within DIGITAL internetwork.
    I wonder, if somebody concerned about it.
    The vast majority of people simply download control without checking
    it.
    
    End of the story and security.
       
        

[email protected] wrote:
: Title: Is HTTPS now allowed through our internal firewall

:     Does anyone have a workaround to maintain an HTTPS session through the
:     internal firewall?
:     
:     Whenever I attempt to do this the firewall responds with "Access Denied
:     you are not allowed to access "website":443 
:     
:     Is there a specific Proxy server configured to allow HTTPS? 
:     

:     The proxy server that responds is www-relay2.pa-x.dec.com

Jean-Paul Rambeau told me that ExARC would be making a decision on my
request to allow https: proxying to arbitrary hosts sometime next week.

Stephen
--
- -----
Stephen Stuart				[email protected]
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]

>    The proxy server that responds is www-relay2.pa-x.dec.com

	The Palo Alto proxy server does not currently allow https (SSL) through
  its firewall.  Stephen Stuart, who just replied to this topic, would be the one
  to change this.

		Danny

> Date:  4-FEB-1997 00:19
> Jean-Paul Rambeau told me that ExARC would be making a decision on my
> request to allow https: proxying to arbitrary hosts sometime next week.

	Have they gotton back to you with their decision (assuming
	they made one)?

Jeff Michaud - ObjectBroker ([email protected]) wrote:
: Title: Is HTTPS now allowed through our internal firewall
: Reply Title: (none)

: > Date:  4-FEB-1997 00:19
: > Jean-Paul Rambeau told me that ExARC would be making a decision on my
: > request to allow https: proxying to arbitrary hosts sometime next week.

: 	Have they gotton back to you with their decision (assuming
: 	they made one)?

They did on Wednesday, with a restriction that required
clarification. I'm now (sigh) awaiting the clarification.

Stephen
--
- -----
Stephen Stuart				[email protected]
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]

Hi,

Today I tried to use www-proxy.zko.dec.com:8080 as my "Security Proxy Server"
and it worked like a charm and I was able to retrieve https://... URLs.

Izak

EXARC just approved the use of SSL for https: proxying by all external
proxy sites.

Stephen
--
- -----
Stephen Stuart				[email protected]
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]

    Stephen (Stuart);
    
    Pray tell, how does one make use of the new https relay.  I am using
    the MS Internet Explorer and I have set my "secure" proxy setting as;
    	
    	www-proxy.pa.dec.com  port 8080
    
    When I try to access the url ;
    
    	https://www.microsoft.com/isapi/events/event/reg_cust_trak...<snip>....
    
    I receive the error message ;
    
    	connect to www.microsoft.com:443 failed (Connection refused). 
    	Proxy server at www-relay1.pa-x.dec.com on port 8080
    
    
    Please advise exact settings for https proxy
    
    Thanks,
    /Chris/

There is no specific setting to use - just specify the appropriate server in
the http server field.

				Steve

    >>There is no specific setting to use - just specify the appropriate
    >>server in the http server field.
    
    That's what I thought I did as described in .7
    
    So what's your definition of "appropriate server" and if it is the same
    as mine then why does the server return an error?
    
    /Chris/
    

` l'eau; c'est l'heure ([email protected]) wrote:
: Title: Is HTTPS now allowed through our internal firewall
: Reply Title: How do we use the new https proxy server?

:     I receive the error message ;
:     
:     	connect to www.microsoft.com:443 failed (Connection refused). 
:     	Proxy server at www-relay1.pa-x.dec.com on port 8080

This message is telling you that the server www.microsoft.com is not
listening on port 443 (I take this as a sign that your browser is
configured properly - it caused the proxy to try to do the right
thing). The relay tried to service the request, but if the destination
refuses the connection, there's not a lot that the relay can do.

Are you absolutely sure that Microsoft is running a "secure" server on
the same host(s) as their regular web server? When I try the URL
"https://www.microsoft.com/" from outside the firewall, I get
redirected to:

	http://www.microsoft.com/default.asp?MSID=<biglongstring>

It is possible that you just hit a window where their server listening
on port 443 was down. Are there other https: URLs that you've tried?

Stephen
--
- -----
Stephen Stuart				[email protected]
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]

    I haven't tried other https url's as I've not needed to up till now.
    
    The url that I posted in my problem report was only a partial listing -
    I guess the full url is generated on the fly so you'd have to go to their
    pages to fill in a couple of forms to actually try it.  
    
    This was a genuine https attempt.  I had just filled in my credit card
    details and was trying to register online for Microsoft's TechEd
    conference in Nice.  Prior to entering the form details, I received a
    warning telling me that I was starting dialog with a secure server
    and asking me to confirm.
    
    Stephen - could you please verify this behaviour - start from the url ;
    
    	http://www.microsoft.com/isapi/events/login.idc?s=3462&a=1&dst=R
    
    You don't have to enter your credit card details - that part is
    optional, but a secure (https) url is still generated for the next
    steps which is where the error occurs.
    
    The error still persists - I don't have any other https connections
    that I can try with legitimacy.  Do the Palo Alto logs show a clean
    https attempt from me?  Is there any transaction detail other than
    Error 443 that I can report to Microsoft?
    
    Thanks,
    /Chris/

    I too am an https novice.  Yesterday was the first time I tried to
    connect to a secure server from inside the firewall.  I set my secure
    proxy and attempted to contact:
    
    https://cafe2.symantec.com/cafemac/
    
    Just tried it and got:
    
    connect to cafe2.symantec.com:443 failed (Connection timed out). 
                                                        
    Proxy server at www-relay2.pa-x.dec.com on port 8080
    
    Which is a little different.  Is it somehow related?  I guess that
    the Symantec system could be simply unavailable.  No way for me to tell
    at this point.  I can't get to my ISP from here to test the theory.
    
    #Gary

>     connect to a secure server from inside the firewall.  I set my secure
>     proxy and attempted to contact:
>     https://cafe2.symantec.com/cafemac/
>     Just tried it and got:
>     connect to cafe2.symantec.com:443 failed (Connection timed out). 
>     Proxy server at www-relay2.pa-x.dec.com on port 8080
>     
>     Which is a little different.  Is it somehow related?  I guess that
>     the Symantec system could be simply unavailable.  No way for me to tell
>     at this point.

	The only thing different is that the host you are trying to
	connect to ("cafe2") did *not* respond to the connect request,
	and the previous noters host they were trying to connect to
	refused the connection (usually meaning that the host is up
	and reachable, but no application is listening on the requested
	port, ie. their https server is not running).

    I too am having trouble getting to https services through the
    firewall.
    
    Consider
    	https://expedia.msn.com/pub/eta.dll
    followed by a load of parameters which I won't include here
    gets me a notification that I'm about the enter a secure page, then:
    
    	connect to expedia.msn.com:443 failed (Connection refused). 
    
    	Proxy server at www-relay2.pa-x.dec.com on port 8080
    
    I would not have expected it to be refused. This works from outside the
    firewall.
    
    However, if I refresh the page (I'm using IExplorer 3.01) then the
    secure page is displayed correctly.
    
    colin

    For whatever the reason, I'm able to get to the Symantec server now.
    
    #Gary

    And the Microsoft https url worked *ONCE* just now and then fell 
    back to the same error - bizzare.
    
    /Chris/

` l'eau; c'est l'heure ([email protected]) wrote:
: Title: Is HTTPS now allowed through our internal firewall
: Reply Title: (none)

:     And the Microsoft https url worked *ONCE* just now and then fell 
:     back to the same error - bizzare.

No changes were made to the proxies.

Stephen
--
- -----
Stephen Stuart				[email protected]
Network Systems Laboratory
Digital Equipment Corporation
[posted by Notes-News gateway]

    Another https site to check the proxy is https://webxpress.fidelity.com
    
    With Netscape, I can't get there - it requires 128 bit RSA, and I have
    the standard 40 bit version from the IBG server.  But at least it tells
    me that "Netscape and this server cannot communicate securely because
    they have no common encryption algorithm(s)."
    
    With Internet Explorer, I can't tell whether or not I've configured my
    proxy properly - I set it up as www-proxy.das.dec.com, 8080 (just like
    .8 had his), but when I try to connect, I get "Cannot connect to
    server". I do have all cryptography enabled.
    
    Has anyone made a https connection using Internet Explorer through our
    proxy servers ?
    
    How can I tell whether or not I have a 128 bit version of Internet
    Explorer ?  I'm running version 3.0 (4.70.1158), but there does not
    seem to be any indication anywhere about international/US versions.
    
    \chuck

>    Another https site to check the proxy is https://webxpress.fidelity.com
>    
>    With Netscape, I can't get there - it requires 128 bit RSA, and I have
>    the standard 40 bit version from the IBG server.  But at least it tells
>    me that "Netscape and this server cannot communicate securely because
>    they have no common encryption algorithm(s)."
>    
	I suspect that this site is not running a valid SSL implementation or
  that it is using a different encryption algorithm from the standard ones
  used in SSL.  SSL allows 40-bit and 128-bit RSA to interoperate.

	On the other hand, I just looked.  It's running Netscape Fastrack 2.01.
  Strange.

>    With Internet Explorer, I can't tell whether or not I've configured my
>    proxy properly - I set it up as www-proxy.das.dec.com, 8080 (just like
>    .8 had his), but when I try to connect, I get "Cannot connect to
>    server". I do have all cryptography enabled.
>    
>    Has anyone made a https connection using Internet Explorer through our
>    proxy servers ?
>    
>    How can I tell whether or not I have a 128 bit version of Internet
>    Explorer ?  I'm running version 3.0 (4.70.1158), but there does not
>    seem to be any indication anywhere about international/US versions.
>    
	You can tell because you only downloaded it.  You have to make a special
  effort to get the 128 bit version.  You won't have the 128 bit version.

	You should download the 3.02 version from the IBG Software Distribution
  Server since the version you are currently running has security holes in it
  and Corporate Security requires that you upgrade right away.

>    \chuck

>	I suspect that this site is not running a valid SSL implementation or
>  that it is using a different encryption algorithm from the standard ones
>  used in SSL.  SSL allows 40-bit and 128-bit RSA to interoperate.

    Yes, but if it does so by downgrading to 40-bits, the Fidelity site
    is probably saying "that's not secure enough for us, go away". That
    was my understanding of that site, in any event, when I looked at it
    a week or so ago.

>	You should download the 3.02 version from the IBG Software Distribution
>  Server since the version you are currently running has security holes in it
>  and Corporate Security requires that you upgrade right away.
    
    Hmmph.  Since the IBG dist server version is probably the 40 bit
    version, I'll go to Microsoft instead to see if I can get the 128 bit 
    version there.  
    
    \chuck

    Eeep...
    
    >> I'll go to Microsoft instead to see if I can get the 128 bit
    
    Contrary to the experience reported in 4497.0, Microsoft doesn't seem
    to make the 128 bit version the default that comes up.  In fact, I
    don't see it anywhere obvious (unless they give it out without telling
    you).  Oh well.
    
    \chuck

    More on getting the 128 bit versions of Netscape and Internet Explorer:
    a page at Fidelity will direct to the appropriate pages at Netscape and
    Microsoft (don't have the page at hand - sorry).  Both take you through
    a form where you declare that you're legit, etc... Microsoft seems to
    currently offer a 3.01 version instead of the new 3.02, but attempting
    to download gets an empty file anyways, so they may be in the middle of
    fixing that.
    
    \chuck

I use netscape 3.01 gold on a Unix platform.
If I open two browser windows and try to connect to two separate secure servers I run into a problem.
Usually an error is reported (for the second one, the first one has gone through).
I do not have this problem if I connect to them individually (the connection goes through fine).
Is this a known problem, am I doing something outside spec, is it only specific to server sites that I am trying
to connect, is there a workaround for the problem (other than the obvious one of using one at a time).
Thanks for suggestions