RE: Wierd HTTP Filter Message - ISA 2004

  • From: "Wayne Berry" <wayne@xxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 18 Mar 2005 08:27:49 -0800

Oh ya, I just woke up here, yes XCompress for ISA 2004
(http://www.xcache.com) will solve this issue.  Couple of question:

1) How did you get a compressed response?  Natively, ISA 2004 strips the
request header that "tells" web servers to send compressed response.  So you
shouldn't get a compressed response unless there is a server out there on
overdrive that is compressing everything it returns.

2) So, do you know what server is sending you the response?  Are you in
charge of that server?

-Wayne
The ISAPI Dev Lurking on the ISA Admin List

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Friday, March 18, 2005 8:24 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Wierd HTTP Filter Message - ISA 2004

http://www.ISAserver.org

Your compression toy.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: Wayne Berry [mailto:wayne@xxxxxxxxxx] 
Sent: Friday, March 18, 2005 08:06
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Wierd HTTP Filter Message - ISA 2004

http://www.ISAserver.org

Which Toy, the one that trap's exceptions and creates .dmp on ISA?  Or
the
one that restarts Dead ISA Services?

Kind Regards,
Wayne Berry
Santa's ISA Elf

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Friday, March 18, 2005 7:59 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Wierd HTTP Filter Message - ISA 2004

http://www.ISAserver.org

That's exactly what I'm saying.
Take a look at a couple of the log fields: "0x20000000  0x400"
- 0x20000000 == Cache Information.  This value is listed in the help as
"response includes Transfer-Encoding header"
- 0x400 == Error Information.  This resolves to a value of 1024

In order to get around this, you need to:
1. create a URL or Domain Set and populate it with sites that you know
send encoded or compressed content
2. create an access rule that uses those sets and specify NO HTTP
Filtering (leave the defaults).

..or maybe Wayne's toy can help?

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 
-----Original Message-----
From: Paul Crisp [mailto:PCrisp@xxxxxxxxxxxxxxxxx] 
Sent: Friday, March 18, 2005 07:38
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Wierd HTTP Filter Message - ISA 2004

http://www.ISAserver.org

Err.....

Jim are you saying that ISA will just block and nothing can be done?
Here is the log of the offending request

Log Time        Destination IP  Destination Port        Protocol
Action  Rule    Client IP       Client Username Source Network
Destination Network     HTTP Method     URL     Destination Host Name
Referring Server        Original Client IP      Client Agent
Authenticated Client    Service Transport       MIME Type       Object
Source  Source Proxy    Destination Proxy       Bidirectional   Client
Host Name       Filter Information      Network Interface       Raw IP
Header  Raw Payload     Source Port     Processing Time Bytes Sent
Bytes Received  Result Code     HTTP Status Code        Cache
Information     Error Information       Log Record Type Server Name
3/18/2005 3:03:49 PM    155.72.131.30   80      http    Denied
Connection      Unrestricted Internet Access    192.1.1.185
anonymous       Internal        External        GET
http://actuate.starwoodhotels.com/prpt/servlet/ViewPage?outputname=%2fPr
od%2fMPAR%2fGroupDelegate%2eroi&connectionHandle=s7whmBpUho%2btg5MUYUgZx
qVGrbtKHLkAq7RmnwSbegyRYEMWxKREm0pEgUAaXCZHB8MitCEgK4yuJ7epqU2xAKOcBr5dI
1oOwTijJCY3jas6vquzWp23h11juowAYBHGtUZ  actuate.starwoodhotels.com
-       0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
Opera 8.0       No      Proxy   TCP     text/html       Internet
Blocked by the HTTP security filter: the response content is encoded and
cannot be scanned                               0       611     4349
1305            12217 The request was rejected by the HTTP filter.
Contact your ISA Server administrator.  0x20000000      0x400   Web
Proxy Filter    MBUKISA02

Paul Crisp
Snr Network Support Analyst

Telephone: 020 7 827 5201
Email: pcrisp@xxxxxxxxxxxxxxxxx

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: 18 March 2005 14:18
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Wierd HTTP Filter Message - ISA 2004

http://www.ISAserver.org

Must
Read 
All
Of 
Article...

Note When an HTTP filter configuration contains signature or execution
matching, and the response is encoded, ISA Server 2004 sends an error
page instead of the original response. In the error page, we specify
that the response was rejected by an HTTP filter. The "Filter Info" log
field contains the following message:

Blocked by the HTTP security filter: the response content is encoded and
cannot be scanned.

If ISA Server 2004 removes the "Accept-Encoding" header, but the server
still returns encoded content, then ISA Server 2004 blocks such
responses.

IOW, if the server insists on sending encoded content even when ISA
strips the accept-encoding header, ISA blocks it.

You'll need to get a capture of this event to verify that this is what's
happening.

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Friday, March 18, 2005 2:54 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Wierd HTTP Filter Message - ISA 2004

http://www.ISAserver.org

Hi Paul,
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;838365
 
HTH,
 
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder> 
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls

 

________________________________

From: Paul Crisp [mailto:PCrisp@xxxxxxxxxxxxxxxxx] 
Sent: Friday, March 18, 2005 4:47 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Wierd HTTP Filter Message - ISA 2004


http://www.ISAserver.org


Got a user accessing a perfectly good hotel site (he's the conference
manager, not ya normal user browsing for sun, sea, sand and xxx)....
Anyway I digress, so on the site the Conference Manager can view a
report for on of our conferences that tells him which of our customers
has booked a room in the hotel and basically gets a website saying that
ISA blocked the site because of the HTTP filter.

I have checked the logs and found the following error message: 

Blocked by the HTTP security filter: the response content is encoded and
cannot be scanned

Error number is 0xd80

The URL is fairly long also

How can I allow access to this site, and also bypass this message?

Paul Crisp

Snr Network Support Analyst

Telephone: 020 7 827 5201

Email: pcrisp@xxxxxxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pcrisp@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wayne@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
wayne@xxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 03-2005