RE: TCP/IP HTTP fault tolerant connection ending via ISA server

• From: "David Farinic" <davidfa@xxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 2 Mar 2006 17:04:05 +0100

>Therefore it's not reasonable (or sane) to expect a "TCP mirror effect" at 
>>both ends.

That is true.
Described case did not expect tcp/ip mirroring for http from ISA server.

Proxy server is free to stop data, postpone, translate them etc.

ISA Proxy reports connection errors(timeouts etc..502..) with its own pages 
which are sent as full http responses from ISA server.

Problem happens when passing of data (data pumping) to client already started 
and connection error occurs during download:

ISA Proxy does not inform client about broken connection from server as its not 
passing same tcp/ip ending information which has specific meaning for HTTP 
protocol/applications (tested with netwatch(sniffer) in front and behind ISA 
server by killing webserver process during client's download).

Well it is not a problem if we are aware about it.  
It would be nice if proxy would try to *translate* original webserver 
connection as much as possible especially if its creating problems for clients 
and its expected.

Another small example:

 At office you download/save zip file from internet via ISA server on your 
notebook as you are in hurry, you don't check/extract documents stored in 
downloaded zip files immediately.

On airplane you try to extract crucial documents from downloaded zip file... 
and upss... zip CRC checksum error ...
 uhh how could it happen... 
simple:
ISA didn't pass connection error information at the end of download before you 
saved it to disk. IE reported file downloaded ok ... so you felt safe to not 
recheck. IE would report to you immediately that download broke if it wouldn't 
be behind ISA server.
So ISA knew about problem with this download but it didn't pass to you this 
info.. So much for small RST/FIN differences.


Regards David Farinic.

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Thursday, March 02, 2006 3:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TCP/IP HTTP fault tolerant connection ending via ISA 
server

http://www.ISAserver.org

Web proxy traffic is not a "TCP path through ISA" in the same way that 
SecureNET traffic is,  Therefore it's not reasonable (or sane) to expect a "TCP 
mirror effect" at both ends.

If (as you describe) the client continues to send traffic on a half-closed 
connection, then the problem is at the client; not the proxy.

-----Original Message-----
From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, March 02, 2006 6:42 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TCP/IP HTTP fault tolerant connection ending via ISA 
server

http://www.ISAserver.org

I'd like to corroborate, I observed this behaviour as well.

-----Message d'origine-----
De : David Farinic [mailto:davidfa@xxxxxxx] 
Envoyé : 2 mars 2006 09:29
À : [ISAserver.org Discussion List]
Objet : [isalist] TCP/IP HTTP fault tolerant connection ending via ISA server

http://www.ISAserver.org


[WebServer] http connection-> Reset(RST) [ISA] ->FIN! [Web Client]

Observed consequences:

-When posting to web forums with HTTP POST and reply from webserver is
for     some internet spaghetti reason broken, ISA gets tcp ip http
connection      ending with RST ISA translates it to web client behind
it as FIN ...   which leads to web clients believing they got data
correctly       completely!

        On web forums this results in double posting (as users don't see
their   reply). 

-AV updating services might not update their signature databases on
time.

This might cause potential problem with web-services and other
communication utilizing HTTP protocol.

REASON: Web applications reports wrong data retrieval only if TCP/IP
carrying http ends with Reset(RST) packet.

WORKAROUND: adding data integrity checking into data/sub-protocol
utilizing http carrier.

Tested on ISA2k4 and ISA2k:

With Kind Regards David Farinic.

  
This mail was checked for viruses by GFI MailSecurity. 
GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI 
FAXmaker), and network security and management software (GFI LANguard) - 
www.gfi.com 


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
gauthiera@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
davidfa@xxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » TCP/IP HTTP fault tolerant connection ending via ISA server
• » RE: TCP/IP HTTP fault tolerant connection ending via ISA server
• » RE: TCP/IP HTTP fault tolerant connection ending via ISA server
• » RE: TCP/IP HTTP fault tolerant connection ending via ISA server
• » RE: TCP/IP HTTP fault tolerant connection ending via ISA server
• » RE: TCP/IP HTTP fault tolerant connection ending via ISA server
• » RE: TCP/IP HTTP fault tolerant connection ending via ISA server
• » RE: TCP/IP HTTP fault tolerant connection ending via ISA server

1. Home
2. isalist
3. Archive
4. 03-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---