[isalist] Re: Another question/problem with content type
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 4 Feb 2008 14:04:27 -0800
http://www.ISAserver.org
-------------------------------------------------------
"status 502" has specific meaning, but only if you examine the traffic deeper
or check the ISA logs.
Where is the capture?
Did you get it from both side of ISA at the same time (only netmon can do that
in one app instance)?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Mayo, Bill
Sent: Monday, February 04, 2008 1:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content type
http://www.ISAserver.org
-------------------------------------------------------
Ok, I captured some traffic and I see the GET request for the .jar file
and I see the response that it was denied (status 502). The URI it is
requesting looks normal (URI:
http://scc.its.state.nc.us/hod/habasen2.jar). The following looks
relevant, but I am not sure how to interpret it:
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
If you can provide any further insight into how to figure this out, I
would much appreciate it.
Bill Mayo
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, February 04, 2008 2:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content type
http://www.ISAserver.org
-------------------------------------------------------
Unless this is happening over an SSL tunnel (in which case you're back
to the previous solution), get a network capture. Only then can you
know what you need to match.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Mayo, Bill
Sent: Monday, February 04, 2008 10:50 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Another question/problem with content type
I have another problem with content filtering, and I think I am starting
to remember why I had not used it before(!). I have taken content
filtering off of SSL traffic, and that solved the other problem. Now, I
have a similar issue where staff are not able to get to a site using
java, where the file being loaded is a ".jar" file. I went in and added
the extension as an allowed content type for the rule, but that is not
working. Again, the request is denied upon hitting the default (deny)
rule, indicating it is not matching the allow rule that I have. This
extension didn't exist in the pre-defined ones, so I added it manually.
When that didn't work, I also added MIME types of application/x-jar and
application/java-archive. I added those based on some internet
searching. However, the log does not indicate a mime type at all (shows
MIME-type: - in the log). I am feeling sufficiently humbled at this
point, and once again ask for guidance. Your patience is appreciated.
~~~~~~~~~~
Bill Mayo
Pitt County MIS
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Friday, February 01, 2008 10:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Problem with outbound SSL traffic
Hi Bill,
This is normal and expected behavior. If you try to control by content
type, the SSL connections will fail, since the content type is hidden
inside the SSL tunnel. If you want this kind of control, you need to
enable outbound SSL bridging using ClearTunnel by Collective Software
www.collectivesoftware.com
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP --
Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill
Sent: Friday, February 01, 2008 9:17 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Problem with outbound SSL traffic
I have started migrating staff to our new ISA 2006 servers for
outbound traffic and am seeing a problem. It appears that the problem
comes up when they go to a secure site. When I do live log tracking, I
show that the requests are failing because they failed to match any
rules (and are hitting the default deny rule). However, I have a rule
that allows HTTP and HTTPS traffic for these staff. In researching the
problem, what I have found is that the problem goes away if I set the
rule to allow "all content types". The rule was setup to disallow some
contents types, such as application. What is interesting is that even
if I selecte EVERY available content type, the traffic will still fail.
In troubleshooting, I have seen failures for types of ".js" and
".swf", but I have ensured that they are included in an allowed file
type at this point. The 2 things that triggered the complaints was
trying to access Yahoo mail and Gmail. We also tried another secure
site, PayPal, to try and determine if it was every SSL site and that
failed, too. I don't know if it is default behavior or not, but in the
failed requests it shows the destination address as the ISA Server
address (External (10.100.199.11:443)) while request shows the site they
are trying to access (e.g. www.google.com:443 <www.google.com:443> ).
When I enable all content types, the destination shows the actual site.
I am new to the logging feature and ISA 2006 (we are migrating
from version 2000--ouch), so I may be missing something entirely. We
really need to be able to disable average staff from downloading
executables and some media types (e.g. video), and I thought this was
the right way to approach it. Does anyone have any suggestion, comment,
etc? I have no doubt there is something I am doing wrong or missing,
but I am not sure where to go from here.
~~~~~~~~~~
Bill Mayo
Network Administrator
Pitt County MIS
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
