Describing an alternative method to FTP over TLS by the use of WebDav over TLS published through ISA 2006 Firewall - Part 4

Carbonwind.net

Home

Blog

Articles

Books

Links

Tools

About

Contact

Disclaimer

Forefront TMG

ISA Server

Vyatta OFR

VPN

Virtualization

Firewalls

Cisco

Miscellaneous

Wireless

21.01.2008
Describing an alternative method to FTP over TLS by the use of WebDav over TLS published through ISA 2006 Firewall - Part 4 - Analyzing Various WebDav Clients

- 1. Windows Built-in WebDav Client
- 2. WebDrive
- 3. Total Commander
- 4. CentOS 4.4 with the Already Installed Neon WebDav Client

1. Windows Built-in WebDav Client
First test with a browser, say Internet Explorer(this will tell us if the web site was published correctly). You should be prompted only once for credentials(since we are using delegation of credentials on ISA). See Figure68.

IE7
Figure68: IE 7.0

I can use other browsers(Firefox, Opera) with no problems too.

Close IE and open it again. This time chose File/Open. See Figure69.

Figure69: File/Open

Enter your server address and select "Open as Web Folder". See Figure70.

Figure70: Open as Web Folder

Enter your credentials. See Figure71.

Figure71: Credentials

Probably you will be prompted again for these credentials. The second prompt is required also when ISA is not between the client and the WebDav server(the client is directly connected to the WebDav server). This second prompt appears when SSL is required on the WebDav server. So it looks like the built-in Windows WebDav client has some issues with WebDav over SSL.

And you will have access to the Web Folder. See Figure72.

Figure72: Web Folder

Talking about the Windows build-in WebDav clients, dear Microsoft what have you done ?

The Windows XP WebDav client comes with bugs but at least works in this scenario.

You may encounter the following:

- when you use IE and "Open as Web Folder" instead of viewing the Web Folder, a "My Computer" window appears (how about that ?). However you can locate it within "My Network Places". This can happen if you follow the method described here and run "webfldrs.msi". This method could save you from the error shown in Figure73. However instead of using Notepad, IE will be used to open the .txt file.

- when you attempt to directly open a .txt file you get the following error, See Figure73. This error appears if the client is directly connect to the WebDav server(no ISA between them). Also if SSL is not required on the WebDav server, the .txt file opens correctly. Again, it looks like the built-in Windows WebDav client has certain issues with WebDav over SSL. Not even the "infamous" KB907306 can fix this problem.

Figure73: Notepad Error

- the URLs might be converted to UNC paths

However the Windows XP client seems to not have any major problems connecting through ISA, the download, the upload, the sent to, the delete, the rename or the open of Office docs operations work just fine. Note that during this article some Windows XP SP2 systems did not have Microsoft Office installed, while others Windows XP SP2 machines had installed Microsoft Office 2007.

But, wait!

The Windows XP WebDav client(Web Foders) is yet to accept defeat. It supports user certificate authentication(so we can use on ISA SSL Client Certificate Authentication with KCD(Kerberos Constrained Delegation)). But if you have followed the method described here and run "webfldrs.msi", it seems that it will not work anymore with user certificate authentication. .

Vista on the other side is unable to connect (the Vista machine did not have Microsoft Office installed). When I use IE and "Open as Web Folder" I get the error from Figure74.

Figure74: Vista IE Error

When I use "Map Network Drive" I get the error from Figure75.

Figure75: Vista Error

So what's happening ?

First let's see what are saying ISA's logs, see Figure76.

Figure76: Vista ISA Log

As can be seen Vista keeps sending the OPTIONS request and ISA denies it. Apparently if the OPTIONS request does not succeed (saying that the server can use WebDAV), the WebDAV Redirector will not be able to connect. At least according to this post (the entire thread can be viewed here). Vista appears to have a problem with Basic authentication (does not send the Authorization header).

ISA denies the OPTIONS request and requires authentication. If authentication succeeds the OPTIONS request will be send to the WebDav server along with the authorization header. See Figure77 (taken from a Windows XP SP2 WebDav session). Actually there are some differences between Figure76 and Figure77.

Figure77: OPTIONS Method ISA Log

Please refer to our explanation for further details.

I could not get Vista's default WebDav client(Web Redirector) working through ISA. It's such a shame Microsoft did not include a proper WebDav client into the shiny Vista OS.

Need a quick fix for Vista ?

Then use WebDrive or Total Commander.

Regarding the use of Microsoft Office Applications, for example with Microsoft Word, when a file is opened from the Web Folders, it is automatically locked. When the file is closed, the file is unlocked. The entire process is transparent for the end-users. The locking of the document is very useful since the user can edit the document while other users can only read it, thus preventing simultaneous editing(overwrite prevention).

Figure78 and Figure79 shows ISA's logs for locking and unlocking a Microsoft Word document.

Figure78: LOCK Method ISA Log

Figure79: UNLOCK Method ISA Log

In Figure80 you can see ISA's log for the HEAD method used by the Office Application.

Figure80: HEAD Method ISA Log

2. WebDrive
Now, about WebDrive. It is very easy to connect to the WebDav server through ISA with WebDrive. Just define a new site. See Figure81.

Figure81: Web Drive WebDav SSL

Hit the Connect button and a new drive will be mounted. See Figure82.

Figure82: WebDrive Drive

The corresponding ISA logs are shown in Figure83 and Figure84.

Figure83: ISA Log WebDrive WebDav SSL Authentication Required

Figure84: ISA Log WebDrive WebDav SSL OPTIONS Request with the Authorization Header

In Figure85 you can see the uploading of a file using WebDrive.

Figure85: WebDrive Upload

In Figure86 you can see that the upload was complete.

Figure86: WebDrive Upload Complete

No major problems.

WebDrive can automatically lock documents when you open them. Or you can manually lock them. See Figure87 and Figure88. However I've noted that both techniques are not so reliable when you attempt to save the changes you've made(you may not be able to do so).

Figure87: WebDrive Auto Lock

Figure88: WebDrive Manual Lock

3. Total Commander
Other Windows WebDav client might be Total Commander, a popular file manager. Total Commander by itself does not support WebDav. But there is a WebDav plugin available for it. WebDav 1.6 was used within this article. Once installed, this WebDav plugin can be accessed through My Network Places. See Figure89.

Figure89: Total Commander with the WebDav Plugin

When you have entered the WebDav directory, hit F7 to create a new connection. I found that using the "Quick Connection" option is tricky, sometimes the connections succeed, sometimes not. No such problems using F7 and defining a new connection. See Figure90.

Figure90: Total Commander with the WebDav Plugin Options

Enter a name for the new connection. See Figure91.

Total Commander New Connection
Figure91: Total Commander New WebDav Connection

Set the settings for the WebDAv connection, enter the server/path (in this case the path is fileserver.carbonwind.net/shareddoc), check "Secure server (via SSL)" and aditionally you can check the other two fields from Figure92 (for the upload method).

Figure92: Total Commander WebDav SSL Settings

After the new connection is created, double-click it in order to connect. Figure93 shows the successful connection.

Figure93: Total Commander WebDav SSL Connected

In Figure94 you can see the uploading of a file using Total Commander.

Figure94: Total Commander SSL Upload

And ISA's logs showing the Total Commander WebDav over TLS session. See Figure95 and Figure96.

Figure95: ISA Log Total Commander WebDav SSL Authentication Required

Figure96: ISA Log Total Commander WebDav SSL PROPFIND Method with the Authentication Header

Figure97 shows the successful PUT command required for the uploading described in Figure94.

Figure97: ISA Log Total Commander WebDav PUT Method with the Authentication Header SSL

4. CentOS 4.4 with the Already Installed Neon WebDav Client
Moving away from the Windows OS, CentOS 4.4(with the already installed Neon WebDav client) was successfully used to connect to the WebDav server behind ISA.

It's more than easy to define a WebDav connection from CentOS. From Computer, select "File/Connect to Server". Choose "Secure WebDAV (HTTPS)", enter the server name, the Folder (shareddoc) and the user name. See Figure98.

Figure98: CentOS WebDavs

Hit Connect. When prompted enter your password and you can select "Remember password for this session". See Figure99.

Figure99: CentOS WebDavs Password

And we are connected. Notice that the WebDav connection appears also as a separate drive. See Figure100.

Figure100: CentOS WebDavs Connected

And ISA's logs showing the CentOS TLS WebDav session. See Figure101 and Figure102.

Figure101: ISA Log CentOS WebDavs Authetication Required

Figure102: ISA Log CentOS WebDavs PROPFIND Method with the Authentication Header

So plenty of WebDav clients(except the one from Vista) working just fine when the WebDav server is published behind ISA.

In Part 5 we will configure HTTP Filtering in ISA 2006 Firewall.