RE: Web Client Requests

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Sun, 29 Jan 2006 20:24:45 -0600

We need an RSS for these articles :)

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Sunday, January 29, 2006 8:14 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Web Client Requests
> 
> http://www.ISAserver.org
> 
> Like unto thusly:
> http://www.microsoft.com/technet/community/columns/sectip/st1205.mspx 
> 
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Sunday, January 29, 2006 5:23 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Web Client Requests
> 
> http://www.ISAserver.org
> 
> Works for me! What security newsletter? A public or internal one?
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
>  
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > Sent: Sunday, January 29, 2006 7:21 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Web Client Requests
> > 
> > http://www.ISAserver.org
> > 
> > ..maybe I should make this my next security newsletter 
> offering right
> > after "ISA & 802.1Q - a marriage made in heaven"?
> > 
> > --------------------------------------------
> > Jim Harrison
> > MCP(NT4, W2K), A+, Network+, PCG
> > http://isaserver.org/Jim_Harrison/
> > http://isatools.org
> > Read the help / books / articles!
> > --------------------------------------------
> > 
> > -----Original Message-----
> > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> > Sent: Sunday, January 29, 2006 5:10 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Web Client Requests
> > 
> > http://www.ISAserver.org
> > 
> >  BRAVO!!!! :))
> > 
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://spaces.msn.com/members/drisa/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> > **Who is John Galt?**
> > 
> >  
> > 
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> > > Sent: Sunday, January 29, 2006 5:58 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Web Client Requests
> > > 
> > > http://www.ISAserver.org
> > > 
> > > Soitenny!
> > > (note that I had to trim the thread due to list size limits)
> > > 
> > > First, we'll cover the bare basics of WinInet and WinHTTP.
> > > 
> > > You'll have to put on your developer hat for this one, 
> > though cuz I'm
> > > about to "background" you a bunch...
> > > 
> > > First a couple of links from MSDN:
> > > WinInet:
> > > http://msdn.microsoft.com/library/en-us/wininet/wininet/portal.asp
> > > WinHTTP:
> > > http://msdn.microsoft.com/library/en-us/winhttp/http/winhttp_s
> > > tart_page.
> > > asp 
> > > 
> > > The most generic term that can be applied to either WinInet 
> > or WinHTTP
> > > is "Internet library", since they both provide similar APIs 
> > > for HTTP and
> > > FTP-over-HTTP traffic.  Unlike WinInet, WinHTTP has no support for
> > > direct FTP communications; you *must* use a CERN proxy to 
> access FTP
> > > sites with WinHTTP; but enough of that...
> > > 
> > > You'll also hear wild rumors of other things such as XMLHTTP and
> > > ServerXMLHTTP, but these are just wrappers around WinInet 
> > and WinHTTP,
> > > respectively.  By the same token, neither of them should 
> be confused
> > > with Winsock, which is another layer them and the actual 
> > TCP/IP stack.
> > > 
> > > Basically, they all look sorta like this in the "grand scheme 
> > > of things"
> > > (look out, Alexandre; more ASCII art for ya):
> > > 
> > > YourApplication.exe
> > >    |           |
> > > WinInet     WinHTTP
> > >    |___________|
> > >          |
> > >       Winsock <----> Firewall Client
> > >          |
> > >        TCP/IP
> > >          |
> > >        Yadda
> > > 
> > > WinInet
> > > - proxy configuration registry
> > > Policy:
> > > HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet
> > > Settings\ProxySettingsPerUser.
> > > Default user:
> > > HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Interne
> > > t Settings
> > > Interactive user:
> > > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
> > > System:
> > > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
> > > 
> > > Which one of the above locations is used depends on whether 
> > or not an
> > > actual user account is in use (logged in or impersonated) and the
> > > setting of the ProxySettingsPerUser value.  If this is set 
> > to 0, then
> > > only the System default proxy settings will be used by 
> WinInet-based
> > > applications.  Note that the proxy configuration used by IE is the
> > > default proxy configuration used by any other application 
> > > that makes use
> > > of WinInet *unless* they explicitly change them as described in
> > > http://msdn.microsoft.com/library/en-us/wininet/wininet/settin
> > > g_and_retr
> > > ieving_internet_options.asp.
> > > 
> > > Unfortunately, if they only change them for the current 
> > > session, there's
> > > no way you can determine this except via netcap analysis.
> > > 
> > > 
> > > WinHTTP
> > > - proxy config registry
> > > HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet 
> > > Settings\WinHttp
> > >  
> > > As you can see (you can, can't you?), WinHTTP proxy 
> configuration is
> > > simpler than WinInet because it uses only one location.  
> > The preferred
> > > method of configuring WinHTTP proxy is via the use of 
> > ProxyCfg.exe, a
> > > tool written specifically to handle this task.  This KB 
> addresses an
> > > updated version of the tool:
> > > http://support.microsoft.com/kb/830605/en-us.  WinHTTP 
> does (almost)
> > > understand how to use the wpad script, but with limitations 
> > > as outlined
> > > here:
> > > http://msdn.microsoft.com/library/en-us/winhttp/http/autoproxy
> > > _issues_in
> > > _winhttp.asp.
> > > 
> > > Using ProxyCfg, you have two options; direct or specific 
> > proxy.  Note
> > > that you don't get to specify "auto-" or "config URL".  What 
> > > they don't
> > > tell you is that if there are no values stored here, WinHTTP 
> > > will defer
> > > to the WinInet settings, which is why OL2K3 usually seems 
> > to "obey" IE
> > > configuration.  If WinInet is configured for wpad, then 
> > > WinHTTP will use
> > > it, too.  
> > > 
> > > WPAD
> > > While WinHTTP and WinInet both understand how to retrieve 
> > and consume
> > > the wpad script, the calling application can also instruct 
> > both to use
> > > either static proxy or wpad (called "autoproxy" by WinHTTP).  
> > > To answer
> > > your "SBS wpad" question, there is nothing special about the wpad
> > > package I built for SBS; the package merely takes advantage 
> > > of the fact
> > > that this script is available via the Web Proxy listener as 
> > > well as the
> > > auto-configuration listener.  IOW, nothing will change for 
> > > this package
> > > when SP2 hits the streets.
> > > 
> > > GPO
> > > ..of course, GPO WinInet (IE) settings affect how and WinHTTP
> > > applications behave as well...
> > > 
> > > WTF?
> > > 
> > > The biggest question in anyone's mind is less likely to be 
> > "what does
> > > each do?", but more "how do I know when app <blah> is using 
> > one or the
> > > other?", or "how do I control the behavior of app 
> <blah>?", or even
> > > "will you just get on with it?!?"  This is a toughie.
> > > 
> > > Determining library usage for app <blah>:
> > > The simplest thing I can recommend is that you learn to use
> > > winhttptracecfg.  This tool enables you to configure WinHTTP 
> > > tracing so
> > > that you can not only determine what applications or services 
> > > are using
> > > WinHTTP, you can also see what they're doing "on the wire".
> > > Instructions for use of this tool are found here:
> > > http://msdn.microsoft.com/library/en-us/winhttp/http/winhttptr
> > > acecfg_exe
> > > __a_trace_configuration_tool.asp.  My fav cmd-line is: 
> > Winhttptracecfg
> > > -e 1 -l c:\<TestName>.  This enables WinHTTP tracing and 
> > configures it
> > > to write to a file on C:\ with a filename starting with 
> > <TestName>, so
> > > that I have an idea what I was about when this file was 
> written.  If
> > > this file gets created when I run my app, then I know it's using
> > > WinHTTP; otherwise, it's using WinInet or custom code (ew). 
> >  The only
> > > way you can see if an app is using WinInet is to either ask the
> > > developers or sun it under a debugger and watch the system 
> > calls.  By
> > > default, WinHTTP tracing adds to the filename so that you 
> know what
> > > process was being logged and the date/time of the start of 
> > > the logging,
> > > as: 
> "WinMedia-wmplayer.exe-1236.10.27.05.660-01.29.2006.LOG".  Since
> > > WinHTTP tracing creates a file "per-process", it's 
> sometimes fun to
> > > enable WinHTTP tracing to see what things are happening on 
> > your system
> > > that you don't even know about.  Just remember to disable 
> > it or it'll
> > > run forever.
> > > 
> > > How do I control how app <blah> behaves?
> > > This is the real problem isn't it?  How can I make app (1) 
> > > act as a web
> > > proxy client, but app (2) act as a SecureNET client, and app 
> > > (3) act as
> > > a Firewall Client, all the while allowing app (4) to take 
> > > nudie pictures
> > > of me while my webcam is broken (did I really say that out loud)?.
> > > Unfortunately, there isn't a "one size fits all" answer because:
> > > - Not all applications are proxy-aware
> > > - Not all applications allow you any form of control over 
> > > their behavior
> > > - Not all applications allow you the same level of control
> > > - Not all applications behave the same when configured as <blah>
> > > - Not all application developers have a freakin' clue how to 
> > > write code
> > > that behaves properly
> > > 
> > > In general follow these guidelines:
> > > - use WinInet settings first - both WinInet and WinHTTP 
> use these by
> > > default
> > > - use wpad whenever possible; if the applications can 
> > properly consume
> > > it, you get one-stop shopping for your proxy config
> > > - use system-level settings and disable per-user 
> settings.  This can
> > > help keep the users from buggering themselves (unless app 
> (4) is in
> > > use).
> > > - use proxycfg only when you've positively determined that 
> > > the settings
> > > you created for app (1) don't' adversely affect apps (2) 
> through (4)
> > > (especially (4)).
> > > 
> > > Next entry in the thread == Java app.
> > > 
> > > --------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > --------------------------------------------
> > > 
> > 
> > > 
> > > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 


Other related posts: