[isalist] Re: Uploads to Facebook don't work anymore...

  • From: D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR <DPietruszka@xxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 2 Dec 2009 07:56:41 -0500

It is hard to have it working correctly but when you have it, is a good 
product, believe me, I'm using it since several years ago.
The easiest way to see if websense is your problem, since your uploader cannot 
show the message blocking messages, is to do a network capture as Jim said, and 
you will see the connection to the websense service on the right port right 
away. Another way is to use the logmonitor on websense server while testing the 
uploading (which is believe is a waste of money ;-) , sorry I had to add the 
comment).

That happen to me several times, when you are using a none HTTP browser, so you 
app failed without any apparent reason, and we always forgot the monitoring 
options on websense.

Regards
Diego R. Pietruszka

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Wednesday, December 02, 2009 7:36 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

Thanks, that clears it up a bit, now I know what to look for.  Yes, we are 
using authentication on outbound traffic and I have a strong suspicion that 
Websense has something to do with this issue.  We are becoming less enamored 
with it daily, and I have spent countless hours with their tech support in the 
last few weeks.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Wednesday, December 02, 2009 1:04 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

No; there is no rule allowing the request as specified.
Don't worry about rules that disallow specific commands or headers; you would 
see those rules quoted.
The protocol quoted is in lowercase, which indicates a CERN proxy request.
Are you forcing authentication on the outbound traffic?
The request is not coming from the browser, but the "image uploader", which may 
have authentication issues (cant' tell from a single log entry).
A Netmon capture could tell you...

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Tuesday, December 01, 2009 11:52 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

I can see that... There is no rule allowing http from localhost to localhost so 
it fails (somehow I don't think such a rule would resolve the issue though).   
Subsequent Googling on those topics didn't shed any light on it either.  Is 
this a Facebook App error or something on my end?


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, December 01, 2009 1:16 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

The destination IP will be the ISA internal IP, because this is a CERN proxy 
request.
Regardless, this request was denied because there is no firewall policy that 
would allow it (thus quoting the default rule).

________________________________
From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of 
Ball, Dan [DBall@xxxxxxxxxxx]
Sent: Tuesday, December 01, 2009 7:22 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...
Hmmmmmm..... I don't see anything changed on the Internal Network configuration 
(same it has been for months), and that destination IP is the ISA server itself.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, December 01, 2009 10:16 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

The request was denied by the default rule; indicating that you have no policy 
that allows this request.
Interestingly enough, the request was identified as being destined for the 
"internal" network.
This tells me that unless you deployed ISA in a single-net configuration you or 
someone you shouldn't trust has been playing with the internal network 
definition.

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Tuesday, December 01, 2009 6:50 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

Oh, I agree, that is only the tip of that looming iceberg... But, like I said, 
my obvious answer to "do it from home" wasn't acceptable, so I have to figure 
out how to get it working again... *sigh*


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of D PIETRUSZKA USWRN INTERLINK INFRA SHIFT MGR
Sent: Tuesday, December 01, 2009 9:45 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Uploads to Facebook don't work anymore...

The fact that ISA or something else is not allowing the upload don't worry me 
too much, what is incredible here is:

Do the taxpayer on your school district knows that the school district is using 
money for somebody to be able to upload pictures to facebook? amazing

Regards
Diego R. Pietruszka
MIS - Shift Manager

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Ball, Dan
Sent: Tuesday, December 01, 2009 9:27 AM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Uploads to Facebook don't work anymore...

In the last couple of weeks, something changed (no idea what), and now people 
inside our network can no longer upload pictures to Facebook.  The upload 
application seems to be working, then crashes at the end.   (Of course, the 
obvious solution of doing it from home is unacceptable... *grumble*)

I looked on the ISA server (ISA 2006), and this is the error message where it 
dies:

Original Client IP               Client Agent       Authenticated Client      
Service Server Name     Referring Server               Destination Host Name    
     Transport            MIME Type         Object Source   Source Proxy     
Destination Proxy            Bidirectional                Client Host Name      
       Filter Information            Network Interface          Raw IP Header  
Raw Payload      GMT Log Time      Source Port        Processing Time           
    Bytes Sent          Bytes Received Result Code        HTTP Status Code      
          Cache Information          Error Information             Log Record 
Type               Authentication Server   Log Time                Destination 
IP    Destination Port               Protocol               Action   Rule       
Client IP               Client Username                Source Network           
    Destination Network      HTTP Method    URL
0.0.0.0   Image Uploader               Yes         Proxy    SERVERNAME    
http://www.facebook.com/editalbum.php?&aid=349361&add=1&created=1#           
10.20.1.10            TCP                                        -              
-                              -              Req ID: 0e8e449f             -    
          -              -              12/1/2009 2:12:02 PM    0              
1              4310       639014                  12202 The ISA Server denied 
the specified Uniform Resource Locator (URL).    0x4         0xa80    Web Proxy 
Filter                              12/1/2009 9:12:02 AM         10.20.1.1      
        8080       http       Denied Connection         Default rule        
10.20.6.117         DOMAIN\username                Internal                
Internal                POST     
http://upload.facebook.com/photos_upload.php?created_album=1&aid=349361&id=504175590

The traffic is hitting the default rule for some reason (which is why it is 
dying), but the protocol is http, which "should" be able to make it through.

--------------------------------------------------
Dan Ball
Network and Systems Technician
Marquette Area Public Schools
1103 West College Avenue
Marquette, MI 49855
E-Mail: dball@xxxxxxxxxxx<UrlBlockedError.aspx>
Phone: (906)225-5779
Fax: (906)225-5377
--------------------------------------------------

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2009