Thanks Jim! Sent from my iPhone Jason Jones | Forefront MVP | Principal Security Consultant | Silversands Limited | Desk: +44 (0)1202 360489 | Mobile: +44 (0)7971 500312 | Email/MSN: jason.jones@xxxxxxxxxxxxxxxxx<mailto:jason.jones@xxxxxxxxxxxxxxxxx> On 25 Jun 2010, at 16:58, "Jim Harrison" <jim@xxxxxxxxxxxx<mailto:jim@xxxxxxxxxxxx>> wrote: <http://jim.isatools.org/tools/block_hcp.vbs>http://jim.isatools.org/tools/block_hcp.vbs It works on ISA 2004, ISA 2006, TMG MBE and TMG 2010 It creates HTTP Signatures in any access rule that includes HTTP. These signatures are: HCP-1: Search in: Response body, Format: Text, Byte range: 1 – 100, Pattern: hcp:// HCP-2: Search in: Response body, Format: Text, Byte range: 1 – 100, Pattern: hcp%3A%2F%2F HCP-3: Search in: Response body, Format: Text, Byte range: 1 – 100, Pattern: hcp%253A%252F%252F HCP-4: Search in: Response headers, HTTP header: location, Pattern: hcp:// HCP-5: Search in: Response headers, HTTP header: location, Pattern: hcp%3A%2F%2F HCP-6: Search in: Response headers, HTTP header: location, Pattern: hcp%253A%252F%252F No, it doesn’t find all permutations of this URL, but most attacks aren’t mounted using all permutations, either. This will find and reject all HTTPS responses that use these most common forms. If you combine this with HTTPS Inspection on TMG, you protection is that much better. Jim