That's exactly what I'm saying. Take a look at a couple of the log fields: "0x20000000 0x400" - 0x20000000 == Cache Information. This value is listed in the help as "response includes Transfer-Encoding header" - 0x400 == Error Information. This resolves to a value of 1024 In order to get around this, you need to: 1. create a URL or Domain Set and populate it with sites that you know send encoded or compressed content 2. create an access rule that uses those sets and specify NO HTTP Filtering (leave the defaults). ..or maybe Wayne's toy can help? ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Paul Crisp [mailto:PCrisp@xxxxxxxxxxxxxxxxx] Sent: Friday, March 18, 2005 07:38 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Wierd HTTP Filter Message - ISA 2004 http://www.ISAserver.org Err..... Jim are you saying that ISA will just block and nothing can be done? Here is the log of the offending request Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL Destination Host Name Referring Server Original Client IP Client Agent Authenticated Client Service Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Server Name 3/18/2005 3:03:49 PM 155.72.131.30 80 http Denied Connection Unrestricted Internet Access 192.1.1.185 anonymous Internal External GET http://actuate.starwoodhotels.com/prpt/servlet/ViewPage?outputname=%2fPr od%2fMPAR%2fGroupDelegate%2eroi&connectionHandle=s7whmBpUho%2btg5MUYUgZx qVGrbtKHLkAq7RmnwSbegyRYEMWxKREm0pEgUAaXCZHB8MitCEgK4yuJ7epqU2xAKOcBr5dI 1oOwTijJCY3jas6vquzWp23h11juowAYBHGtUZ actuate.starwoodhotels.com - 0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en) Opera 8.0 No Proxy TCP text/html Internet Blocked by the HTTP security filter: the response content is encoded and cannot be scanned 0 611 4349 1305 12217 The request was rejected by the HTTP filter. Contact your ISA Server administrator. 0x20000000 0x400 Web Proxy Filter MBUKISA02 Paul Crisp Snr Network Support Analyst Telephone: 020 7 827 5201 Email: pcrisp@xxxxxxxxxxxxxxxxx -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: 18 March 2005 14:18 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Wierd HTTP Filter Message - ISA 2004 http://www.ISAserver.org Must Read All Of Article... Note When an HTTP filter configuration contains signature or execution matching, and the response is encoded, ISA Server 2004 sends an error page instead of the original response. In the error page, we specify that the response was rejected by an HTTP filter. The "Filter Info" log field contains the following message: Blocked by the HTTP security filter: the response content is encoded and cannot be scanned. If ISA Server 2004 removes the "Accept-Encoding" header, but the server still returns encoded content, then ISA Server 2004 blocks such responses. IOW, if the server insists on sending encoded content even when ISA strips the accept-encoding header, ISA blocks it. You'll need to get a capture of this event to verify that this is what's happening. -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, March 18, 2005 2:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Wierd HTTP Filter Message - ISA 2004 http://www.ISAserver.org Hi Paul, http://support.microsoft.com/default.aspx?scid=kb;en-us;838365 HTH, Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Paul Crisp [mailto:PCrisp@xxxxxxxxxxxxxxxxx] Sent: Friday, March 18, 2005 4:47 AM To: [ISAserver.org Discussion List] Subject: [isalist] Wierd HTTP Filter Message - ISA 2004 http://www.ISAserver.org Got a user accessing a perfectly good hotel site (he's the conference manager, not ya normal user browsing for sun, sea, sand and xxx).... Anyway I digress, so on the site the Conference Manager can view a report for on of our conferences that tells him which of our customers has booked a room in the hotel and basically gets a website saying that ISA blocked the site because of the HTTP filter. I have checked the logs and found the following error message: Blocked by the HTTP security filter: the response content is encoded and cannot be scanned Error number is 0xd80 The URL is fairly long also How can I allow access to this site, and also bypass this message? Paul Crisp Snr Network Support Analyst Telephone: 020 7 827 5201 Email: pcrisp@xxxxxxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pcrisp@xxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned.