Between snow days and other stuff, it's taken me a while to get this fully tested. Now I'm getting access to the Staples website to work, but in a rather quirky way. In addition to the four steps I originally mentioned below, I've now also configured the site for direct access. (To do this I opened the Internal network, went to the Web Browser tab, and made an entry for Staples--*.staples.com--in the "Directly access these servers or domains" section.) I've configured my computer to use the autoconfig script. I've tried accessing the Staples website both with and without the Firewall Client software installed. Behavior is the same either way. What happens now is when I try to access the Staples website I get the usual error (actually, it's slightly different--now instead of getting the official ISA orange/yellow one that had more detail, now I get a much more generic-looking one, but with the same essential error: "Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter"). If I then put the address back into the address bar, I connect to the Staples website no problem. When I look at the logs, all the entries for my attempted access go through my generic "access to the Internet" rule--the one that allows most web traffic to most people. None of the traffic is being looked at by my new "access to Staples" rule, which is above the generic rule. I do get a few "Access Denied" entries (Blocked by the HTTP security filter: the response content is encoded and cannot be scanned). Any thoughts about what might be going on now? Thanks, Rob ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Wednesday, December 07, 2005 11:27 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Creating a custom HTTP protocol http://www.ISAserver.org Hi Rob, You also have to configure the site for Direct Access, since Web proxy clients will always be Web proxy filter clients. The Direct Access config will bypass the Web proxy client config and enable the Firewall client to handle the connection. And since the Web proxy filter is unbound from the HTTP protocol, the Firewall client connection won't be passed up to the filter. Remember that you need to configure the client to use the autoconfig script if you want the direct access settings configured on the ISA firewall to be applied. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org <http://www.isaserver.org/> Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls **Who is John Galt?** ________________________________ From: Rob Moore [mailto:RMoore@xxxxxxxx] Sent: Wednesday, December 07, 2005 10:18 AM To: [ISAserver.org Discussion List] Subject: [isalist] Creating a custom HTTP protocol http://www.ISAserver.org Hello all-- I'm trying to allow traffic to a particular website that's getting blocked by the HTTP filter. To do this, sometime ago I got advice on this list to "create a custom HTTP protocol def, and not bind it to the Web Proxy filter, then make sure that allows access only to the site that uses that protocol." I've tried doing that with no luck. I'm assuming I've not done it correctly. These are the steps I've taken: 1. Created a user-defined protocol (HTTP Staples) for outbound traffic on Port 80. 2. Did not check the Web Proxy application filter for this protocol (I have a feeling this is my error). 3. Created a URL set for the website (http://www.staples.com/* <http://www.staples.com/*> ). 4. Created an access rule above the regular "access to external network" rule, that uses the custom protocol, and allows traffic from All Protected Networks to the Staples URL set for all users. It doesn't work. I still get the same error, "Blocked by the HTTP security filter: the response content is encoded and cannot be scanned". Where did I go wrong? Thanks, Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Help Desk: 800-500-AFSC ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: rmoore@xxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx