Yepper... That's why I like network captures; all shall be clear.... We had one of the buggered headers in MS-land just last week, too. It seems to be a popular habit of web admns to add headers without determining if they're even needed (much less valid) Here's the ISA challenge of the day: what's wrong with this response? - Http: Response WebSite: _BuildHTTPConversation: - Response: 0x1 ProtocolVersion: HTTP/1.1 StatusCode: 200, Ok Reason: OK Date: Sat, 02 Feb 2008 00:28:11 GMT Server: Apache/2.0.59 (Linux/SuSE) XPoweredBy: PHP/4.3.4 Set-Cookie: sessioncookie=c4293b59dc3dbd577fa37c84d8a39fcb; expires=Sat, 02-Feb-2008 12:28:11 GMT; path=/ Set-Cookie: mosvisitor=1 Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Sat, 02 Feb 2008 00:28:13 GMT Cache-Control: no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=windows-1250 TransferEncoding: chunked Content-Type: text/html; charset=ISO-8859-1 HeaderEnd: CRLF ..other than the fact that it was delivered by a server running <gag> Crapache.... :) From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Monday, February 04, 2008 3:39 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Another question/problem with content type Who'd a guess that one? :) But you make a good point. Its up to Web server admin to assign the ContentType, which can have nothing to do with what the actual content type is. Thomas W Shinder, M.D. Site: www.isaserver.org<http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, February 04, 2008 4:50 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Another question/problem with content type In the response from that server, the content-type is neither of the types you've chosen. - Http: Response, HTTP/1.1, Status Code = 200, URL: http://scc.its.state.nc.us/hod/habasen2.jar - Response: 0x1 ProtocolVersion: HTTP/1.1 StatusCode: 200, Ok Reason: Document follows Via: 1.1 B43-ISA-02 Connection: Keep-Alive Proxy-Connection: Keep-Alive ContentLength: 879830 Date: Mon, 04 Feb 2008 22:20:01 GMT ContentType: multipart/x-zip Server: IBM HTTP Server/V5R3M0 Accept-Ranges: bytes Last-Modified: Sun, 01 Apr 2007 02:31:28 GMT HeaderEnd: CRLF This is the joy of trying to second-guess what a remote server interprets as a "content-type". Jim -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill Sent: Monday, February 04, 2008 2:10 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Another question/problem with content type http://www.ISAserver.org ------------------------------------------------------- I used NetMon and selected the internal and external interfaces. I can see from the regular logs that it is denied because it is hitting the default rule at the end which says to deny if no other rule was matched. I do have a rule that says to allow http traffic with a content type of ".jar", but it is not getting matched for some reason. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, February 04, 2008 5:04 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Another question/problem with content type http://www.ISAserver.org ------------------------------------------------------- "status 502" has specific meaning, but only if you examine the traffic deeper or check the ISA logs. Where is the capture? Did you get it from both side of ISA at the same time (only netmon can do that in one app instance)? -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill Sent: Monday, February 04, 2008 1:54 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Another question/problem with content type http://www.ISAserver.org ------------------------------------------------------- Ok, I captured some traffic and I see the GET request for the .jar file and I see the response that it was denied (status 502). The URI it is requesting looks normal (URI: http://scc.its.state.nc.us/hod/habasen2.jar). The following looks relevant, but I am not sure how to interpret it: Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 If you can provide any further insight into how to figure this out, I would much appreciate it. Bill Mayo -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Monday, February 04, 2008 2:25 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Another question/problem with content type http://www.ISAserver.org ------------------------------------------------------- Unless this is happening over an SSL tunnel (in which case you're back to the previous solution), get a network capture. Only then can you know what you need to match. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill Sent: Monday, February 04, 2008 10:50 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Another question/problem with content type I have another problem with content filtering, and I think I am starting to remember why I had not used it before(!). I have taken content filtering off of SSL traffic, and that solved the other problem. Now, I have a similar issue where staff are not able to get to a site using java, where the file being loaded is a ".jar" file. I went in and added the extension as an allowed content type for the rule, but that is not working. Again, the request is denied upon hitting the default (deny) rule, indicating it is not matching the allow rule that I have. This extension didn't exist in the pre-defined ones, so I added it manually. When that didn't work, I also added MIME types of application/x-jar and application/java-archive. I added those based on some internet searching. However, the log does not indicate a mime type at all (shows MIME-type: - in the log). I am feeling sufficiently humbled at this point, and once again ask for guidance. Your patience is appreciated. ~~~~~~~~~~ Bill Mayo Pitt County MIS ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Friday, February 01, 2008 10:35 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Problem with outbound SSL traffic Hi Bill, This is normal and expected behavior. If you try to control by content type, the SSL connections will fail, since the content type is hidden inside the SSL tunnel. If you want this kind of control, you need to enable outbound SSL bridging using ClearTunnel by Collective Software www.collectivesoftware.com HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- Microsoft Firewalls (ISA) ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Mayo, Bill Sent: Friday, February 01, 2008 9:17 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Problem with outbound SSL traffic I have started migrating staff to our new ISA 2006 servers for outbound traffic and am seeing a problem. It appears that the problem comes up when they go to a secure site. When I do live log tracking, I show that the requests are failing because they failed to match any rules (and are hitting the default deny rule). However, I have a rule that allows HTTP and HTTPS traffic for these staff. In researching the problem, what I have found is that the problem goes away if I set the rule to allow "all content types". The rule was setup to disallow some contents types, such as application. What is interesting is that even if I selecte EVERY available content type, the traffic will still fail. In troubleshooting, I have seen failures for types of ".js" and ".swf", but I have ensured that they are included in an allowed file type at this point. The 2 things that triggered the complaints was trying to access Yahoo mail and Gmail. We also tried another secure site, PayPal, to try and determine if it was every SSL site and that failed, too. I don't know if it is default behavior or not, but in the failed requests it shows the destination address as the ISA Server address (External (10.100.199.11:443)) while request shows the site they are trying to access (e.g. www.google.com:443 <www.google.com:443> ). When I enable all content types, the destination shows the actual site. I am new to the logging feature and ISA 2006 (we are migrating from version 2000--ouch), so I may be missing something entirely. We really need to be able to disable average staff from downloading executables and some media types (e.g. video), and I thought this was the right way to approach it. Does anyone have any suggestion, comment, etc? I have no doubt there is something I am doing wrong or missing, but I am not sure where to go from here. ~~~~~~~~~~ Bill Mayo Network Administrator Pitt County MIS ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx