[isalist] Re: Another question/problem with content type
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Mon, 4 Feb 2008 17:39:17 -0600
Who'd a guess that one? :)
But you make a good point. Its up to Web server admin to assign the
ContentType, which can have nothing to do with what the actual content
type is.
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
Sent: Monday, February 04, 2008 4:50 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content
type
In the response from that server, the content-type is neither of
the types you've chosen.
- Http: Response, HTTP/1.1, Status Code = 200, URL:
http://scc.its.state.nc.us/hod/habasen2.jar
- Response: 0x1
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: Document follows
Via: 1.1 B43-ISA-02
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
ContentLength: 879830
Date: Mon, 04 Feb 2008 22:20:01 GMT
ContentType: multipart/x-zip
Server: IBM HTTP Server/V5R3M0
Accept-Ranges: bytes
Last-Modified: Sun, 01 Apr 2007 02:31:28 GMT
HeaderEnd: CRLF
This is the joy of trying to second-guess what a remote server
interprets as a "content-type".
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill
Sent: Monday, February 04, 2008 2:10 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content
type
http://www.ISAserver.org
-------------------------------------------------------
I used NetMon and selected the internal and external interfaces.
I can
see from the regular logs that it is denied because it is
hitting the
default rule at the end which says to deny if no other rule was
matched.
I do have a rule that says to allow http traffic with a content
type of
".jar", but it is not getting matched for some reason.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, February 04, 2008 5:04 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content
type
http://www.ISAserver.org
-------------------------------------------------------
"status 502" has specific meaning, but only if you examine the
traffic
deeper or check the ISA logs.
Where is the capture?
Did you get it from both side of ISA at the same time (only
netmon can
do that in one app instance)?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Mayo, Bill
Sent: Monday, February 04, 2008 1:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content
type
http://www.ISAserver.org
-------------------------------------------------------
Ok, I captured some traffic and I see the GET request for the
.jar file
and I see the response that it was denied (status 502). The URI
it is
requesting looks normal (URI:
http://scc.its.state.nc.us/hod/habasen2.jar). The following
looks
relevant, but I am not sure how to interpret it:
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
If you can provide any further insight into how to figure this
out, I
would much appreciate it.
Bill Mayo
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, February 04, 2008 2:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content
type
http://www.ISAserver.org
-------------------------------------------------------
Unless this is happening over an SSL tunnel (in which case
you're back
to the previous solution), get a network capture. Only then can
you
know what you need to match.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Mayo, Bill
Sent: Monday, February 04, 2008 10:50 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Another question/problem with content type
I have another problem with content filtering, and I think I am
starting
to remember why I had not used it before(!). I have taken
content
filtering off of SSL traffic, and that solved the other problem.
Now, I
have a similar issue where staff are not able to get to a site
using
java, where the file being loaded is a ".jar" file. I went in
and added
the extension as an allowed content type for the rule, but that
is not
working. Again, the request is denied upon hitting the default
(deny)
rule, indicating it is not matching the allow rule that I have.
This
extension didn't exist in the pre-defined ones, so I added it
manually.
When that didn't work, I also added MIME types of
application/x-jar and
application/java-archive. I added those based on some internet
searching. However, the log does not indicate a mime type at
all (shows
MIME-type: - in the log). I am feeling sufficiently humbled at
this
point, and once again ask for guidance. Your patience is
appreciated.
~~~~~~~~~~
Bill Mayo
Pitt County MIS
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Friday, February 01, 2008 10:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Problem with outbound SSL traffic
Hi Bill,
This is normal and expected behavior. If you try to control by
content
type, the SSL connections will fail, since the content type is
hidden
inside the SSL tunnel. If you want this kind of control, you
need to
enable outbound SSL bridging using ClearTunnel by Collective
Software
www.collectivesoftware.com
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP --
Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill
Sent: Friday, February 01, 2008 9:17 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Problem with outbound SSL traffic
I have started migrating staff to our new ISA 2006
servers for
outbound traffic and am seeing a problem. It appears that the
problem
comes up when they go to a secure site. When I do live log
tracking, I
show that the requests are failing because they failed to match
any
rules (and are hitting the default deny rule). However, I have
a rule
that allows HTTP and HTTPS traffic for these staff. In
researching the
problem, what I have found is that the problem goes away if I
set the
rule to allow "all content types". The rule was setup to
disallow some
contents types, such as application. What is interesting is
that even
if I selecte EVERY available content type, the traffic will
still fail.
In troubleshooting, I have seen failures for types of
".js" and
".swf", but I have ensured that they are included in an allowed
file
type at this point. The 2 things that triggered the complaints
was
trying to access Yahoo mail and Gmail. We also tried another
secure
site, PayPal, to try and determine if it was every SSL site and
that
failed, too. I don't know if it is default behavior or not, but
in the
failed requests it shows the destination address as the ISA
Server
address (External (10.100.199.11:443)) while request shows the
site they
are trying to access (e.g. www.google.com:443
<www.google.com:443> ).
When I enable all content types, the destination shows the
actual site.
I am new to the logging feature and ISA 2006 (we are
migrating
from version 2000--ouch), so I may be missing something
entirely. We
really need to be able to disable average staff from downloading
executables and some media types (e.g. video), and I thought
this was
the right way to approach it. Does anyone have any suggestion,
comment,
etc? I have no doubt there is something I am doing wrong or
missing,
but I am not sure where to go from here.
~~~~~~~~~~
Bill Mayo
Network Administrator
Pitt County MIS
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
