RE: Un-Able to access some web site thru proxy

You tried - what?
Email, web posting, telephone, semaphore, monkeys & buckets..?

SA support is here:
http://support.microsoft.com/default.aspx?scid=fh;%5bln%5d;SoftAssurance

Nope - that is not even how it's done for a public hotfix.
We *do not* support hotfixes obtained from anywhere other than PSS or a
designated representative.

-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx] 
Sent: Sunday, March 05, 2006 1:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy

http://www.ISAserver.org

I tried it 5 times, and every time it gives me an error saying, "Unknown
error has occurred please try again later".

I was using Software Assurance ID.

Is there away for me to get the hotfix from someone who had it and can
upload it to our FTP site?

I will try again later as they said, but I really need this issue
resolved
before tomorrow morning.

Thanks a lot for your help

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, March 05, 2006 1:48 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy

http://www.ISAserver.org

Gotta use the support links, bro...
http://support.microsoft.com/common/international.aspx?rdpath=dm;en-us;s
elec
t&target=assistance&c1=508


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx]
Sent: Sunday, March 05, 2006 10:36
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy

http://www.ISAserver.org

Jim,

This is great and it sounds so good.

Who is PSS, and how can I contact, and I promise I will contact as soon
as I
get the contact info from you.

Thank you so much

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, March 05, 2006 12:23 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy

http://www.ISAserver.org

MJ,

Disabling filters may not help with www.delta.com, www.sun.com or any
site
that causes ISA 2004 SP2 to generate the following message:

Error Code: 502 Proxy Error. The HTTP request includes a non-supported
header. Contact your ISA Server administrator. (12156)

The reason for the behavior you're seeing is that new logic that was
added
in ISA 2004 SP2 to mitigate HTTP request smuggling.  The process for
this
attack is a bit involved but the short story is that HRS depends on
sending
response headers that include both "Content-length:
<anyvalue>" and "transfer-encoding: chunked".
A whitepaper on the subject is available here:
https://www.watchfire.com/securearea/whitepapers.aspx

RFC-2616 defines those two headers for the purpose of providing
quantitative
content validation for the receiver and states *very
clearly* that the server MUST NOT combine them in the same response.  If
the
server is configured such that it does violate this edict, RFC-2616 then
requires the receiving entity to ignore the content-length value and
instead
use the chunked-encoding technique to validate the length of the HTTP
body.
This places a processing burden on the receiving entity (ISA, in this
case),
since a chunked-encoded transfer can't be quantitatively validated until
the
transfer is completed.  In the case of a proxy, additional processing is
imposed due to caching behavior that may be dependent on content-size.

The reason those sites are either failing outright (www.delta.com) or
rendering poorly (www.sun.com) is because we chose to reject those
responses
out-of-hand.  Since RFC-2616 clearly states "don't combine those
headers"
and doing so is a demonstrably malicious act, it seemed unlikely that
ISA
would cause problems for any other than malicious sites, and in fact,
our
testing validated this belief.  As it turns out, there are quite a few
legitimate sites out there that violate this part of RFC-2616 and so we
have
had to rethink our answer to this problem.

Call PSS.
Tell them I sent you.
Ask for the private fix for ISA SE 34978.
Do
It
Now

Jim

-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx]
Sent: Sunday, March 05, 2006 7:56 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy

http://www.ISAserver.org

I got it to open by copying both lines.

I followed everything in it, and since we are only using the proxy part
of
this ISA box I disabled everything as the article said, and restart the
firewall service, but I am still having the same problem.

I also read the ISA 2004 SP2 white paper but didn't see anything that
will
help in this situation.

Any other ideas?

Thanks for you responses.



-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, March 05, 2006 1:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy

http://www.ISAserver.org

Unwrap it.
The second line is part of the URL.

-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx]
Sent: Saturday, March 04, 2006 9:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy

http://www.ISAserver.org

Tom,

Thanks for the response, but the link you posted took me to "Error 404 -
Not
Found"

I thin the document was moved somewhere else.

Thanks again.

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Saturday, March 04, 2006 10:54 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy

http://www.ISAserver.org

http://blogs.isaserver.org/shinder/news/2006/02/27/isa-firewall-sp-2-bra
nch-office-features-turn-em-off

HTH,
Tom


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Bryan [mailto:mjtech@xxxxxxxxx]
Sent: Saturday, March 04, 2006 7:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Un-Able to access some web site thru proxy

http://www.ISAserver.org

Hi *.*

We have ISA 2004 server that is working fine so far. After installing
SP2
things continue to work fine except one little problem:
When we try to access some web sites such as www.delta.com we're getting
the
following message:
========================================================================
===

Technical Information (for support personnel) Error Code: 502 Proxy
Error.
The HTTP request includes a non-supported header. Contact your ISA
Server
administrator. (12156) IP Address: 205.174.16.50
Date: 3/5/2006 12:53:52 AM
Server: isaServerName.DomainName.com
Source: proxy
========================================================================
===


I am looking for a solution for this problem other than un-installing
SP2
because it really fixed more serious problems than this problem.
Also other than chaining to another ISA server with SP1.

The Result of my research indicated that this a bug with SP2, and
Microsoft
is working on a hotfix for, which will be out some time soon.

just to let you all know I have contact MS Support as well, and they
told me
the same thing, but because I know that there smart guys in this list I
thought of posting the question any ways hoping that some has a work
around
till the hotfix is available.
MS Support will get back with me on Monday and they may have one of the
developers work with me to fix the problem Manually and if this happen I
promise I will post the solution here for whoever might come across the
same
issue.

Thanks a lot guys and have a great day

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.



Other related posts: