OK- some of you guys may be tired of this, but this is important stuff and
has ISA-Server wide configuration consequences.
According to http://support.microsoft.com/kb/838368/en-us disabling the Web
Proxy Filter *does indeed* disable the HTTP filter:
<snip>
Click the Parameters tab, click to clear the Web Proxy Filter check box
under Application Filters, and then click OK.
Important If you disable the Web Proxy Filter, ISA Server 2004 no longer
performs HTTP content inspection.
</snip>
Not knowing who to believe, I tested it myself. I configured the HTTP
filter on my outbound web rule to only allow GET requests. I tested a POST,
and it failed appropriately. I then unbound the Web Proxy Filter from HTTP
(and applied). Without refreshing the Firewall client, I immediately tried
again. The POST still failed, leading one to think that the HTTP filter was
still being applied. However, upon refreshing the Firewall client, the
request went right through, even in the presence of the rule's HTTP Filter
configured to only allow GET.
Unbinding the Web Proxy Filter from HTTP *disables* the HTTP Filter /
content filtering. That blows.
This whole business brings into question the Direct Access functionality for
external sites altogether. While I see the value for internal sites,
reading KB's on how to set up Direct Access for FWC's states nowhere that
for it to work you have to unbind the Web Proxy Filter from HTTP. Yet it
is clear in packet traces that leaving it bound to HTTP makes ISA proxy the
connection anyway.
Further, setting up a custom HTTP rule works for establishing the
connection, but once ISA determines that the content is HTTP, it still
applies the filter to it. So you can't leave the Web Proxy Filter bound to
HTTP and make a custom rule above your normal rule for a particular site and
have it work. It even shows in the log that "HTTP (Custom)" is the
initialized rule, but "http" (note the lower case) is used for the "Outbound
HTTP" rule.
What are the other "work arounds" mentioned? Jim, you've been strangely
silent on this one-- anything to offer here? Typically when you don't get
involved it's 'cause you've got the super-secret info.
t
----- "I'll see your Llama and up you a Badger." John T
http://www.ISAserver.org
OK you,
Anybody else, and I'd tell 'em to RTFM, but one day I may come to you and ask a favor.
When you unbind the Web proxy filter from the HTTP protocol, it has the untoward effect that you observed -- the HTTP security configuration interface disappears. HOWEVER, that does NOT mean that its not working. All the settings you have created so far are still in effect for Web proxy clients.
However, machines that aren't explicitly configured as Web proxy clients, will not be exposed to the Web proxy filter or the Web proxy filter extension that is the HTTP security filter. When the Web proxy filter is enabled, it automaticaly forwards the SecureNAT and Firewall client connections to the Web proxy filter, so that even though they aren't explicitly configured as Web proxy clients, they can still benefit from the security and performance enhancments you get from the Web proxy filter and its extensions.
If you want to make changes to the HTTP security filter, go to the HTTP protocol and rebind the filter. You don't need to apply the changes to the firewall policy. Then right click any rule that includes the HTTP protocol and you'll see the Configure HTTP option again. Then make the changes you want to the filter settings, then go back and unbind the Web proxy filter from the HTTP protocol. Apply the changes to the firewall policy and you're good.
There's another way to do this, but this is my way. :) There's a KB article on an alternate approach if you want to take the highway.
Tom
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Tuesday, January 17, 2006 5:19 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Continued issues with particular site
http://www.ISAserver.org
Unbinding the Web Proxy Filter from HTTP worked. However, I can no longer "Configure HTTP" anywhere, on any rule. I tried what Steve suggested, which is to create an allow rule for the site, but you can't unbind Web Proxy Filter from an individual rule - ( thanks for nuttin, Moffat!!! ;) all you can do is "Configure HTTP." Hell, I even tried a custom HTTP Protocol Definition (with no filtering at all) and it still doesn't work.
While I could still access the web via clients specifically set to use a proxy, why would my HTTP filter configuration options go away because I unbound the Web Proxy Filter?
Is there no other way to do this????
t
----- "I'll see your Llama and up you a Badger." John T
----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, January 17, 2006 2:07 PM
Subject: [isalist] RE: Continued issues with particular site
http://www.ISAserver.org
The FWC will stuff use the Web proxy filter if the Web proxy filter is still bound to the HTTP protocol. There are a number of workarounds, but the one I use because it's the easiest :) is to just unbind the Web proxy filter from the HTTP protocol and then configure the sites for Direct Access.
This enables me to continue to benefit from the Web proxy filter and its HTTP security filter for Web proxy client connections (machines that are explicitly configured as Web proxy clients) and bypass the Web proxy filter for all SecureNAT (SecureNET) and FWC connections.
Tom
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Tuesday, January 17, 2006 3:59 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Continued issues with particular site
>
> http://www.ISAserver.org
>
> That what I was saying to myself... the "Via" tells all. But
> check it--
> I've got both the IP and the *.domain.com in the direct
> access tab for the
> source (listening) network config, I've got the firewall
> client loaded and
> refreshed, I've unchecked "use proxy" on the firewall client
> config for the
> network config, I've made sure the client is not set to use a
> proxy in IE.
>
> Yet, the capture stills says "Via."
>
> WTF now?
>
> t
>
> -----
> "I'll see your Llama and up you a Badger."
> John T
>
>
>
> ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Tuesday, January 17, 2006 1:44 PM
> Subject: [isalist] RE: Continued issues with particular site
>
>
> http://www.ISAserver.org
>
> That's NOT a DIRECT ACCESS connection!
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Tuesday, January 17, 2006 3:41 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Continued issues with particular site
> >
> > <p align=\"left\"><b><font face=\"Arial\" size=\"2\">GFI
> > MailSecurity's HTML threat engine found HTML scripts in this
> > email and has disabled
them.</font></b></p>http://www.ISAserver.org
> >
> > So, I've basically honed it down to this. Here is what we
> get on the
> > external interface after the client issues the POST for the
> > tracking number:
> >
> > HTTP/1.1.100.Continue..Server:.Microsoft-IIS/5.0..Date:.Tue,.1
> > 7.Jan.2006.21:03:46.GMT....
> > -then-
> > HTTP/1.1.200.OK..Server:.Microsoft-IIS/5.0..Date:.Tue,.17.Jan.
> 2006.21:03:46.GMT..Connection:.close..Content->
> Type:.text/html..............<HTML>......<HEAD>..........<META
> > .http-equiv="Expires".content="0">..........<META.http-equiv="
> > Pragma".content="no-cache">..........<META.http-equiv="Cache-C
> > ontrol".content="no-cache">.........<LINK.type="text/css".href
> > ="include/master.css"
> > .rel="stylesheet">..........<SCRIPT.type="text/javascript".src="
> > include/form_validation.js"></XCRIPT>..........<SCRIPT.type="tex
> > t/javascript".src="include/multi_onload.js"></XCRIPT>..........<
> > TITLE>IPT,.LLC.</TITLE>......</HEAD>......<BODY.leftmargin="0".m
> > arginheight="0".marginwidth="0".topmargin="0">..............<TAB
> > LE.width="100%".border="0".cellspacing="0".cellpadding="0">...
> > ...........<TR>
> >
> > -- with the rest of the page following.
> >
> > But on the internal interface, this is what goes to the client:
> >
> > HTTP/1.1.100.Continue..Via:.1.1.ISA-VPN..Date:.Tue,.17.Jan.200
> > 6.21:25:31.GMT..Server:.Microsoft-IIS/5.0...
> > .
> > HTTP/1.1.200.OK..Via:.1.1.ISA-VPN..Connection:.close..Proxy-Co
> nnection:.close..Date:.Tue,.17.Jan.2006.21:25:31.GMT..Content-
> Type:.text
> /html..Server:.Microsoft-> IIS/5.0....
> >
> >
> > And that's it. It dies.
> >
> >
> > WTF? Anyone? Beuller? Anyone?
> >
> > t
> >
> > -----
> > "I'll see your Llama and up you a Badger."
> > John T
> >
> >
> >
> > ----- Original Message ----- > > From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Tuesday, January 17, 2006 12:09 PM
> > Subject: [isalist] RE: Continued issues with particular site
> >
> >
> > > http://www.ISAserver.org
> > >
> > > That's my next step. I've compared captures from
> > direct/ISA (which was a
> > > waste of time) but now I'll have to see what I get in front
> > and behind
> > > ISA. Working on it now.
> > >
> > > t
> > >
> > > -----
> > > "I'll see your Llama and up you a Badger."
> > > John T
> > >
> > >
> > >
> > > ----- Original Message ----- > > > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Tuesday, January 17, 2006 9:41 AM
> > > Subject: [isalist] RE: Continued issues with particular site
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > > Got captures?
> > > We can determine a *lot* from a two-sided capture...
> > >
> > > -------------------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > -------------------------------------------------------
> > >
> > >
> > > -----Original Message-----
> > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > > Sent: Tuesday, January 17, 2006 09:06
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Continued issues with particular site
> > >
> > > http://www.ISAserver.org
> > >
> > > I've still not been able to solve the problem with this one
> > particular
> > > page on a site we must use to track service calls. My
> > users can log on to
> > > the site fine, and access parts of the site, but when we
> go to this
> > > particular page to track issues by number, it comes up with
> > a blank page.
> > >
> > > "View Source" shows the right tags, <HTML> through </HTML>,
> > but there is
> > > no content. Accessing outside of ISA works fine. I've
> > tried FW Client,
> > > Proxy Client, changing authentication on both the rule and
> > the network
> > > proxy listener, entering "Direct Access," etc, removing the
> > HTTP filter,
> > > etc and nothing works.
> > >
> > > The logs show the site being accessed properly, though the
> > page is blank.
> > >
> > > Where to turn? Is it PSS time?
> > >
> > > t
> > >
> > >
> > >
> > >
> > > -----
> > > "I'll see your Llama and up you a Badger."
> > > John T
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > jim@xxxxxxxxxxxx To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > thor@xxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > thor@xxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx