[isalist] Re: Error 502 in browsed site

http://www.ISAserver.org
-------------------------------------------------------
  
Hi Bill, 

The protocol definition looks good. Can you post the details of those two
rules?
Take note that those rules must precede all other rules that might allow
that traffic.

HTH, 
Stefaan 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Mayo, Bill
Sent: vrijdag 15 februari 2008 21:38
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 502 in browsed site

I am assuming that the reason the first rule doesn't match is that I don't
have the custom HTTP protocol set up correctly.  Attached is a screen shot
of what I have, in case it is obvious what I am missing.
Also, does it matter what type of network object I use for the "To" tab?
I have tried a domain name set and address range so far.

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Stefaan Pouseele
Sent: Friday, February 15, 2008 1:44 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 502 in browsed site

http://www.ISAserver.org
-------------------------------------------------------
  
Hi Bill, 

I can confirm that the trick explained in
https://blogs.technet.com/isablog/archive/2006/09/25/458810.aspx
definitely works. I have used it multiple times to allow nonstandard HTTP
traffic.
Moreover I use the exact same method in my blog
http://blogs.isaserver.org/pouseele/2006/10/08/solving-the-secure-ftp-di
lemm
a-with-isa-server-2004-and-2006/ to solve the FTPS access problem with ISA
server. 

HTH,
Stefaan

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Mayo, Bill
Sent: vrijdag 15 februari 2008 19:06
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 502 in browsed site

http://www.ISAserver.org
-------------------------------------------------------
  
Thanks for the reply, Tom.  I found and attempted to follow the info at
http://blogs.technet.com/isablog/archive/2006/09/25/why-do-i-need-a-deny
-rule-to-make-an-allow-rule-for-a-custom-protocol-work-correctly.aspx.
Unfortunately, it isn't working for me.  What I am seeing with that in
effect is that it seems to skip over the first allow rule with the
CustomHTTP, and then blocks the traffic on the deny rule.  As far as I can
tell, my custom protocol is identical to the built-in HTTP, with the
exception that the filter isn't there.

I have also tried adding the site to the direct access tab, but that hasn't
helped either.

Any further suggestions are welcomed!
Bill Mayo

 

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Friday, February 15, 2008 10:39 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 502 in browsed site

http://www.ISAserver.org
-------------------------------------------------------
  
You can create your own HTTP protocol and don't bind it to the Web proxy
filter, and then use that protocol to reach that particular destination
site. There's some difficult logic to the configuration, and I don't recall
all the details. But there is an article on the ISA Team Blog on this. Is
one of the earliest blog posts over there, so start with the first blog post
and go from there.

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill
> Sent: Friday, February 15, 2008 7:31 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error 502 in browsed site
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Thanks much for looking at that, Jim!  I guess I am now back to my 
> original question.  Is there any patch, registry tweak, or 
> configuration change I can make in ISA to get around the malformed 
> packet?
> I will see
> what I can do towards getting the source fixed, but I am not 
> optimistic.
> From our user's perspective it will look like our problem--it worked 
> until we upgraded the ISA Servers (just went from 2000 to 2006).
> 
> Bill Mayo
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Thursday, February 14, 2008 8:17 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error 502 in browsed site
> 
> http://www.ISAserver.org
> -------------------------------------------------------
>   
> Let's make this even more fun.
> The same response packet that includes a buggered header also
> specifies:
> chunkSize: 1220
> ..but the data chunk weighs in at a measly 985 bytes;  235 bytes 
> short.
> Even if you were to add the chunk management bytes to the total (you 
> wouldn't), it's still short quite a few.
> 
> ISA is right to round-file this response; it's poopy-ka-ka.
> 
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Thursday, February 14, 2008 4:04 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Error 502 in browsed site
> 
> Ah, the lovely typos you get when using a CLI interface :)
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org <http://www.isaserver.org/>
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- 
> Microsoft Firewalls (ISA)
> 
> 
> 
> 
> ________________________________
> 
>         From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>         Sent: Thursday, February 14, 2008 5:24 PM
>         To: isalist@xxxxxxxxxxxxx
>         Subject: [isalist] Re: Error 502 in browsed site
> 
> 
> 
>         Yep - it's another Crapache server with "customized" headers:
> 
>         - Http: Response, HTTP/1.1, Status Code = 200, URL:
> /cgi-gre/LI_login
> 
>           - Response: 0x1
> 
>              ProtocolVersion: HTTP/1.1
> 
>              StatusCode: 200, Ok
> 
>              Reason: OK
> 
>              Date:  Thu, 14 Feb 2008 18:11:17 GMT
> 
>              Server:  Apache/1.3.34 (Unix) mod_ssl/2.8.25 
> OpenSSL/0.9.7i
> 
>               Set-Cookie:  INVPKT=Y; path=/
> 
>              Set-Cookie:  INVDAT=24199098,tugwro,X,gre,60; path=/
> 
>              P3P:  policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa 
> DEVa OUR NOR COM NAV STA"
> 
>              Keep-Alive:  timeout=15, max=199
> 
>              Connection:  Keep-Alive
> 
>              TransferEncoding:  chunked
> 
>              ContentType:  text/html
> 
>              HeaderEnd: CRLF
> 
> 
> 
>         The first Set-Cookie header is preceded by whitespace.
> 
> 
> 
> 
> 
>         -----Original Message-----
>         From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill
>         Sent: Thursday, February 14, 2008 10:42 AM
>         To: isalist@xxxxxxxxxxxxx
>         Subject: [isalist] Re: Error 502 in browsed site
> 
> 
> 
>         Also, I see under the response header an entry named "
> Set-Cookie: ...", noting the space in front of it.  The entry 
> underneath is also set-cookie, but doesn't have the space in front of 
> it.
> Apologies if this info is unhelpful, I confess I don't completely 
> understand what I am looking for.
> 
> 
> 
> 
> 
>         ________________________________
> 
> 
> 
>         From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill
> 
>         Sent: Thursday, February 14, 2008 1:29 PM
> 
>         To: isalist@xxxxxxxxxxxxx
> 
>         Subject: [isalist] Re: Error 502 in browsed site
> 
> 
> 
> 
> 
>         Jim, I have a network capture, and I have isolated it down to 
> the packets that are sent after the logon request (and where it 
> fails).
> I do see an HTTP payload on 2 packets that says "httpcontenttype = ".
> The latter of these is the last packet sent by the server.  Does that 
> clarify anything, or is there something else I should be looking for?
> 
> 
> 
>         Bill Mayo
> 
> 
> 
>         ________________________________
> 
> 
> 
>         From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> 
>         Sent: Thursday, February 14, 2008 1:37 AM
> 
>         To: isalist@xxxxxxxxxxxxx
> 
>         Subject: [isalist] Re: Error 502 in browsed site
> 
> 
> 
> 
> 
> 
> 
>         Until you know what ISA rejects, there can be no "fix".
> 
> 
> 
>         What is the site?
> 
> 
> 
> 
> 
> 
> 
>         From: isalist-bounce@xxxxxxxxxxxxx 
> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill
> 
>         Sent: Wednesday, February 13, 2008 1:43 PM
> 
>         To: isalist@xxxxxxxxxxxxx
> 
>         Subject: [isalist] Error 502 in browsed site
> 
> 
> 
> 
> 
> 
> 
>         I am running into a problem that appears to be well 
> documented, but I am not having any success in getting it to work.  I 
> have a user going to a "critical" (sigh) site that is causing ISA 2006

> EE to throw a
> 502 error to them, and in logging it shows: The HTTP message includes 
> an unsupported header or an unsupported combination of headers.
> (12156) .
> I have found KBs regarding this error, the most pertinent seeming to 
> be 935693.  I have downloaded and installed the "ISA Server 2006 
> Supportability Update package", which indicates that is addresses this

> issue.  I also have applied the registry changes that are indicated in

> 935693.  Unfortunately, the error persists.  I am wondering if a 
> reboot or services restart is necessary after the registry change, but

> the article doesn't indicate one way or other (I will try that after 
> hours).
> 
> 
> 
>         I understand that, at its core, this a problem with the site 
> they are visiting.  However, I have no realistic way to get this 
> addressed on that end, and the client wants it fixed now.  Is there 
> anything that I am missing, or any pointers anyone can provide?
> 
> 
> 
>         ~~~~~~~~~~
> 
>         Bill Mayo
> 
>         Pitt County MIS
> 
> 
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials: 
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: http://www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts: