RE: Creating a custom HTTP protocol
- From: "Rob Moore" <RMoore@xxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 12 Dec 2005 10:30:04 -0500
Between snow days and other stuff, it's taken me a while to get this
fully tested. Now I'm getting access to the Staples website to work, but
in a rather quirky way. In addition to the four steps I originally
mentioned below, I've now also configured the site for direct access.
(To do this I opened the Internal network, went to the Web Browser tab,
and made an entry for Staples--*.staples.com--in the "Directly access
these servers or domains" section.)
I've configured my computer to use the autoconfig script. I've tried
accessing the Staples website both with and without the Firewall Client
software installed. Behavior is the same either way.
What happens now is when I try to access the Staples website I get the
usual error (actually, it's slightly different--now instead of getting
the official ISA orange/yellow one that had more detail, now I get a
much more generic-looking one, but with the same essential error: "Error
Code: 500 Internal Server Error. The request was rejected by the HTTP
filter"). If I then put the address back into the address bar, I connect
to the Staples website no problem.
When I look at the logs, all the entries for my attempted access go
through my generic "access to the Internet" rule--the one that allows
most web traffic to most people. None of the traffic is being looked at
by my new "access to Staples" rule, which is above the generic rule. I
do get a few "Access Denied" entries (Blocked by the HTTP security
filter: the response content is encoded and cannot be scanned).
Any thoughts about what might be going on now?
Thanks,
Rob
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Wednesday, December 07, 2005 11:27 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Creating a custom HTTP protocol
http://www.ISAserver.org
Hi Rob,
You also have to configure the site for Direct Access, since Web proxy
clients will always be Web proxy filter clients. The Direct Access
config will bypass the Web proxy client config and enable the Firewall
client to handle the connection. And since the Web proxy filter is
unbound from the HTTP protocol, the Firewall client connection won't be
passed up to the filter.
Remember that you need to configure the client to use the autoconfig
script if you want the direct access settings configured on the ISA
firewall to be applied.
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
**Who is John Galt?**
________________________________
From: Rob Moore [mailto:RMoore@xxxxxxxx]
Sent: Wednesday, December 07, 2005 10:18 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Creating a custom HTTP protocol
http://www.ISAserver.org
Hello all--
I'm trying to allow traffic to a particular website that's
getting blocked by the HTTP filter. To do this, sometime ago I got
advice on this list to "create a custom HTTP protocol def, and not bind
it to the Web Proxy filter, then make sure that allows access only to
the site that uses that protocol." I've tried doing that with no luck.
I'm assuming I've not done it correctly. These are the steps I've taken:
1. Created a user-defined protocol (HTTP Staples) for outbound
traffic on Port 80.
2. Did not check the Web Proxy application filter for this
protocol (I have a feeling this is my error).
3. Created a URL set for the website (http://www.staples.com/*
<http://www.staples.com/*> ).
4. Created an access rule above the regular "access to external
network" rule, that uses the custom protocol, and allows traffic from
All Protected Networks to the Staples URL set for all users.
It doesn't work. I still get the same error, "Blocked by the
HTTP security filter: the response content is encoded and cannot be
scanned". Where did I go wrong?
Thanks,
Rob
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Help Desk: 800-500-AFSC
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rmoore@xxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
