[isalist] Re: Another question/problem with content type
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 4 Feb 2008 19:03:44 -0800
Yepper...
That's why I like network captures; all shall be clear....
We had one of the buggered headers in MS-land just last week, too.
It seems to be a popular habit of web admns to add headers without determining
if they're even needed (much less valid)
Here's the ISA challenge of the day: what's wrong with this response?
- Http: Response WebSite:
_BuildHTTPConversation:
- Response: 0x1
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: OK
Date: Sat, 02 Feb 2008 00:28:11 GMT
Server: Apache/2.0.59 (Linux/SuSE)
XPoweredBy: PHP/4.3.4
Set-Cookie: sessioncookie=c4293b59dc3dbd577fa37c84d8a39fcb; expires=Sat,
02-Feb-2008 12:28:11 GMT; path=/
Set-Cookie: mosvisitor=1
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 02 Feb 2008 00:28:13 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=windows-1250
TransferEncoding: chunked
Content-Type: text/html; charset=ISO-8859-1
HeaderEnd: CRLF
..other than the fact that it was delivered by a server running <gag>
Crapache....
:)
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Thomas W Shinder
Sent: Monday, February 04, 2008 3:39 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content type
Who'd a guess that one? :)
But you make a good point. Its up to Web server admin to assign the
ContentType, which can have nothing to do with what the actual content type is.
Thomas W Shinder, M.D.
Site: www.isaserver.org<http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, February 04, 2008 4:50 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content type
In the response from that server, the content-type is neither of the types
you've chosen.
- Http: Response, HTTP/1.1, Status Code = 200, URL:
http://scc.its.state.nc.us/hod/habasen2.jar
- Response: 0x1
ProtocolVersion: HTTP/1.1
StatusCode: 200, Ok
Reason: Document follows
Via: 1.1 B43-ISA-02
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
ContentLength: 879830
Date: Mon, 04 Feb 2008 22:20:01 GMT
ContentType: multipart/x-zip
Server: IBM HTTP Server/V5R3M0
Accept-Ranges: bytes
Last-Modified: Sun, 01 Apr 2007 02:31:28 GMT
HeaderEnd: CRLF
This is the joy of trying to second-guess what a remote server interprets as a
"content-type".
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Mayo, Bill
Sent: Monday, February 04, 2008 2:10 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content type
http://www.ISAserver.org
-------------------------------------------------------
I used NetMon and selected the internal and external interfaces. I can
see from the regular logs that it is denied because it is hitting the
default rule at the end which says to deny if no other rule was matched.
I do have a rule that says to allow http traffic with a content type of
".jar", but it is not getting matched for some reason.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, February 04, 2008 5:04 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content type
http://www.ISAserver.org
-------------------------------------------------------
"status 502" has specific meaning, but only if you examine the traffic
deeper or check the ISA logs.
Where is the capture?
Did you get it from both side of ISA at the same time (only netmon can
do that in one app instance)?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Mayo, Bill
Sent: Monday, February 04, 2008 1:54 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content type
http://www.ISAserver.org
-------------------------------------------------------
Ok, I captured some traffic and I see the GET request for the .jar file
and I see the response that it was denied (status 502). The URI it is
requesting looks normal (URI:
http://scc.its.state.nc.us/hod/habasen2.jar). The following looks
relevant, but I am not sure how to interpret it:
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
If you can provide any further insight into how to figure this out, I
would much appreciate it.
Bill Mayo
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, February 04, 2008 2:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Another question/problem with content type
http://www.ISAserver.org
-------------------------------------------------------
Unless this is happening over an SSL tunnel (in which case you're back
to the previous solution), get a network capture. Only then can you
know what you need to match.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Mayo, Bill
Sent: Monday, February 04, 2008 10:50 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Another question/problem with content type
I have another problem with content filtering, and I think I am starting
to remember why I had not used it before(!). I have taken content
filtering off of SSL traffic, and that solved the other problem. Now, I
have a similar issue where staff are not able to get to a site using
java, where the file being loaded is a ".jar" file. I went in and added
the extension as an allowed content type for the rule, but that is not
working. Again, the request is denied upon hitting the default (deny)
rule, indicating it is not matching the allow rule that I have. This
extension didn't exist in the pre-defined ones, so I added it manually.
When that didn't work, I also added MIME types of application/x-jar and
application/java-archive. I added those based on some internet
searching. However, the log does not indicate a mime type at all (shows
MIME-type: - in the log). I am feeling sufficiently humbled at this
point, and once again ask for guidance. Your patience is appreciated.
~~~~~~~~~~
Bill Mayo
Pitt County MIS
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Friday, February 01, 2008 10:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Problem with outbound SSL traffic
Hi Bill,
This is normal and expected behavior. If you try to control by content
type, the SSL connections will fail, since the content type is hidden
inside the SSL tunnel. If you want this kind of control, you need to
enable outbound SSL bridging using ClearTunnel by Collective Software
www.collectivesoftware.com
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP --
Microsoft Firewalls (ISA)
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill
Sent: Friday, February 01, 2008 9:17 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Problem with outbound SSL traffic
I have started migrating staff to our new ISA 2006 servers for
outbound traffic and am seeing a problem. It appears that the problem
comes up when they go to a secure site. When I do live log tracking, I
show that the requests are failing because they failed to match any
rules (and are hitting the default deny rule). However, I have a rule
that allows HTTP and HTTPS traffic for these staff. In researching the
problem, what I have found is that the problem goes away if I set the
rule to allow "all content types". The rule was setup to disallow some
contents types, such as application. What is interesting is that even
if I selecte EVERY available content type, the traffic will still fail.
In troubleshooting, I have seen failures for types of ".js" and
".swf", but I have ensured that they are included in an allowed file
type at this point. The 2 things that triggered the complaints was
trying to access Yahoo mail and Gmail. We also tried another secure
site, PayPal, to try and determine if it was every SSL site and that
failed, too. I don't know if it is default behavior or not, but in the
failed requests it shows the destination address as the ISA Server
address (External (10.100.199.11:443)) while request shows the site they
are trying to access (e.g. www.google.com:443 <www.google.com:443> ).
When I enable all content types, the destination shows the actual site.
I am new to the logging feature and ISA 2006 (we are migrating
from version 2000--ouch), so I may be missing something entirely. We
really need to be able to disable average staff from downloading
executables and some media types (e.g. video), and I thought this was
the right way to approach it. Does anyone have any suggestion, comment,
etc? I have no doubt there is something I am doing wrong or missing,
but I am not sure where to go from here.
~~~~~~~~~~
Bill Mayo
Network Administrator
Pitt County MIS
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
