RE: Un-Able to access some web site thru proxy
- From: "MJ" <mjtech@xxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 7 Mar 2006 23:11:57 -0500
I've got the hotfix, and have backed ISA and will install it tonight.
I'll let you all know the result.
Thanks for your help
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tuesday, March 07, 2006 1:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
Kewlness...
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx]
Sent: Monday, March 06, 2006 20:25
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
I am getting this patch tomorrow.
I had to fight with them over it, and I spoke to so many managers, and at
the end they told me that they will email me the hotfix tomorrow, but I will
have to install it at my own risk.
So I have backed and up windows and ISA tonight and I will get it installed
tomorrow and will let you know how it went
Thanks Jim
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, March 06, 2006 6:41 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
Update (Tom, please update the blog, too)...
PSS has asked me to retract the "go get it" action.
The official patch will be released soon and you'll see an announcement here
when that happens.
Sorry for any cornfussion.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Sunday, March 05, 2006 10:08
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
You betchum! :)
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, March 05, 2006 11:57 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
Wurksfermi!
Thanx, Tom.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Sunday, March 05, 2006 09:52
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
Hi Jim,
This OK?
http://blogs.isaserver.org/shinder/isacentral/2006/03/05/explanation-on-
the-502-error-to-delta-and-sun-sites/
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, March 05, 2006 11:23 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
MJ,
Disabling filters may not help with www.delta.com, www.sun.com or any site
that causes ISA 2004 SP2 to generate the following message:
Error Code: 502 Proxy Error. The HTTP request includes a non-supported
header. Contact your ISA Server administrator. (12156)
The reason for the behavior you're seeing is that new logic that was added
in ISA 2004 SP2 to mitigate HTTP request smuggling. The process for this
attack is a bit involved but the short story is that HRS depends on sending
response headers that include both "Content-length:
<anyvalue>" and "transfer-encoding: chunked".
A whitepaper on the subject is available here:
https://www.watchfire.com/securearea/whitepapers.aspx
RFC-2616 defines those two headers for the purpose of providing quantitative
content validation for the receiver and states *very
clearly* that the server MUST NOT combine them in the same response. If the
server is configured such that it does violate this edict, RFC-2616 then
requires the receiving entity to ignore the content-length value and instead
use the chunked-encoding technique to validate the length of the HTTP body.
This places a processing burden on the receiving entity (ISA, in this case),
since a chunked-encoded transfer can't be quantitatively validated until the
transfer is completed. In the case of a proxy, additional processing is
imposed due to caching behavior that may be dependent on content-size.
The reason those sites are either failing outright (www.delta.com) or
rendering poorly (www.sun.com) is because we chose to reject those responses
out-of-hand. Since RFC-2616 clearly states "don't combine those headers"
and doing so is a demonstrably malicious act, it seemed unlikely that ISA
would cause problems for any other than malicious sites, and in fact, our
testing validated this belief. As it turns out, there are quite a few
legitimate sites out there that violate this part of RFC-2616 and so we have
had to rethink our answer to this problem.
Call PSS.
Tell them I sent you.
Ask for the private fix for ISA SE 34978.
Do
It
Now
Jim
-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx]
Sent: Sunday, March 05, 2006 7:56 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
I got it to open by copying both lines.
I followed everything in it, and since we are only using the proxy part of
this ISA box I disabled everything as the article said, and restart the
firewall service, but I am still having the same problem.
I also read the ISA 2004 SP2 white paper but didn't see anything that will
help in this situation.
Any other ideas?
Thanks for you responses.
-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Sunday, March 05, 2006 1:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
Unwrap it.
The second line is part of the URL.
-----Original Message-----
From: MJ [mailto:mjtech@xxxxxxxxx]
Sent: Saturday, March 04, 2006 9:06 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
Tom,
Thanks for the response, but the link you posted took me to "Error 404 - Not
Found"
I thin the document was moved somewhere else.
Thanks again.
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Saturday, March 04, 2006 10:54 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Un-Able to access some web site thru proxy
http://www.ISAserver.org
http://blogs.isaserver.org/shinder/news/2006/02/27/isa-firewall-sp-2-bra
nch-office-features-turn-em-off
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
-----Original Message-----
From: Bryan [mailto:mjtech@xxxxxxxxx]
Sent: Saturday, March 04, 2006 7:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Un-Able to access some web site thru proxy
http://www.ISAserver.org
Hi *.*
We have ISA 2004 server that is working fine so far. After installing
SP2
things continue to work fine except one little problem:
When we try to access some web sites such as www.delta.com we're getting the
following message:
========================================================================
===
Technical Information (for support personnel) Error Code: 502 Proxy Error.
The HTTP request includes a non-supported header. Contact your ISA Server
administrator. (12156) IP Address: 205.174.16.50
Date: 3/5/2006 12:53:52 AM
Server: isaServerName.DomainName.com
Source: proxy
========================================================================
===
I am looking for a solution for this problem other than un-installing
SP2
because it really fixed more serious problems than this problem.
Also other than chaining to another ISA server with SP1.
The Result of my research indicated that this a bug with SP2, and Microsoft
is working on a hotfix for, which will be out some time soon.
just to let you all know I have contact MS Support as well, and they told me
the same thing, but because I know that there smart guys in this list I
thought of posting the question any ways hoping that some has a work around
till the hotfix is available.
MS Support will get back with me on Monday and they may have one of the
developers work with me to fix the problem Manually and if this happen I
promise I will post the solution here for whoever might come across the same
issue.
Thanks a lot guys and have a great day
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mjtech@xxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
