• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

HTTP Filter Missing ISA2006 SP1

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> HTTP Filter Missing ISA2006 SP1 Page: [1]
Login
Message << Older Topic   Newer Topic >>
HTTP Filter Missing ISA2006 SP1 - 7.Aug.2008 10:17:57 AM   
TheAA

 

Posts: 1
Joined: 7.Aug.2008
Status: offline
Wondering if anyone else has come across this problem.

I have a number of access rules allowing certain objects access to the Internet (HTTP & HTTPS). However, I've noticed a while back that the Configure HTTP context is missing from the rule if you right click it. I knew that SP1 was due out soon so I thought I'd wait for that as I couldn't find anything out of place on the configuration.

Since SP1 came out I still cannot access the HTTP Filter area and I've now performed a repair and then a re-install to see if there was a registry entry that was perhaps corrupt. This has made no difference.

Anyone ever come across this before?

OS - Windows 2003 Ent R2
ISA 2006 SP1
Post #: 1
RE: HTTP Filter Missing ISA2006 SP1 - 7.Aug.2008 12:31:57 PM   
IanC

 

Posts: 338
Joined: 11.Jul.2007
From: UK
Status: offline
It is likely that the Web Proxy filter has been removed from the HTTP Protocol definition.  If so, you will have to enable it again in order to modify HTTP filtering for the rule.  However, you may want to disable it again when you're through as it will have been disabled for a reason.

Ian

_____________________________

Ian Currie

nAppliance TMG/UAG Appliances - EMEA
www.surefront.co.uk

(in reply to TheAA)
Post #: 2
RE: HTTP Filter Missing ISA2006 SP1 - 7.Aug.2008 3:48:54 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
By disabling it again, won't this prevent the new HTTP filter settings from working though?

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to IanC)
Post #: 3
RE: HTTP Filter Missing ISA2006 SP1 - 7.Aug.2008 4:04:01 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
I've seen a lot of cases where the WPF was removed from HTTP protocol and the customer had no idea why and it was not intentional.  A lot of times people just poke at settings randomly when troubleshooting some problem, and do not restore everything to its previous state after they're done.

Sometimes people disable the http filter because one of its unchangeable restrictions has blocked traffic they need to allow, but that's very unfortunate.  It's turning off A LOT of security just to solve one little thing.  It'd be far better to either tweak the app causing the traffic block, or use IsaScript or some other filter to make the traffic compatible with the built-in http filter.

(in reply to Jason Jones)
Post #: 4
RE: HTTP Filter Missing ISA2006 SP1 - 7.Aug.2008 4:11:24 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: ferrix

I've seen a lot of cases where the WPF was removed from HTTP protocol and the customer had no idea why and it was not intentional.  A lot of times people just poke at settings randomly when troubleshooting some problem, and do not restore everything to its previous state after they're done.

Sometimes people disable the http filter because one of its unchangeable restrictions has blocked traffic they need to allow, but that's very unfortunate.  It's turning off A LOT of security just to solve one little thing.  It'd be far better to either tweak the app causing the traffic block, or use IsaScript or some other filter to make the traffic compatible with the built-in http filter.


I think a lot of people turn it off globally when an application tries to use a non-HTTP protocol over port 80. I guess they don't realise that you can create your own port 80 protocol, unbind the filter and they create a specific rule for this procotol to get around the issue...this probably isn't obvious to new ISA admins.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to ferrix)
Post #: 5
RE: HTTP Filter Missing ISA2006 SP1 - 7.Aug.2008 5:42:35 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Jason,

quote:

I think a lot of people turn it off globally when an application tries to use a non-HTTP protocol over port 80. I guess they don't realise that you can create your own port 80 protocol, unbind the filter and they create a specific rule for this procotol to get around the issue...this probably isn't obvious to new ISA admins.

Cheers

JJ


This not work very well actually. In my case, I have an application that is acessed from 80 port (non-standard http), to access it must be a clean connection (no application filters, ie web proxy filter), because this connection is using some kind of encryption and does not work if we use web proxy filter.

I tried to do what you just said and did not work. Thereīs an post about it in Forefront teamīs blog for ISA 2004. (Why do I need a deny rule to make an allow rule for a custom protocol work correctly?)
For the comments and what Iīve tested, it does not work for ISA 2006.

Do you know how to fix it up? Just because of this single application I have to disable the web proxy filter.

Regards,
Paulo Oliveira.

(in reply to Jason Jones)
Post #: 6
RE: HTTP Filter Missing ISA2006 SP1 - 7.Aug.2008 5:56:25 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
quote:

In addition, all the rules for the overlapped protocols in the ordered list of rules are processed, their secondary connections are added to the session, and the application filters associated with them are invoked until an access rule that denies traffic is encountered


Can anyone expound on that?  It seems very counter-intuitive/weird.

(in reply to paulo.oliveira)
Post #: 7
RE: HTTP Filter Missing ISA2006 SP1 - 7.Aug.2008 6:29:09 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: paulo.oliveira

Hi Jason,

quote:

I think a lot of people turn it off globally when an application tries to use a non-HTTP protocol over port 80. I guess they don't realise that you can create your own port 80 protocol, unbind the filter and they create a specific rule for this procotol to get around the issue...this probably isn't obvious to new ISA admins.

Cheers

JJ


This not work very well actually. In my case, I have an application that is acessed from 80 port (non-standard http), to access it must be a clean connection (no application filters, ie web proxy filter), because this connection is using some kind of encryption and does not work if we use web proxy filter.

I tried to do what you just said and did not work. Thereīs an post about it in Forefront teamīs blog for ISA 2004. (Why do I need a deny rule to make an allow rule for a custom protocol work correctly?)
For the comments and what Iīve tested, it does not work for ISA 2006.

Do you know how to fix it up? Just because of this single application I have to disable the web proxy filter.

Regards,
Paulo Oliveira.


This approach has worked for me many a time, but maybe it is application specific. A recent example is a product called Patchlink which uses port 80 but seems to use non-standard HTTP usage and was hence being blocked by the WPF. Creating the rule (as per the blog) solved the problem for me and I didn't need to create any deny rules at all. I kinda understand the blog, but maybe it isn't always the case??? It is weird! Maybe I got it wrong, but the application definitely starting working after creating the custom rule and protocol.

Disabling WPF completely is just not an option for me and I could never do this for a customer - maybe I have been lucky and never come across an application that just refused when using the above procedure...

Cheers

JJ

< Message edited by Jason Jones -- 7.Aug.2008 6:32:14 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to paulo.oliveira)
Post #: 8
RE: HTTP Filter Missing ISA2006 SP1 - 8.Aug.2008 6:45:03 AM   
IanC

 

Posts: 338
Joined: 11.Jul.2007
From: UK
Status: offline
quote:

ORIGINAL: Jason Jones

By disabling it again, won't this prevent the new HTTP filter settings from working though?


Don't forget, for Web Proxy clients, the HTTP filter will continue to do its job regardless of whether the Web Proxy filter is bound to the HTTP protocol.

Cheers

Ian 

_____________________________

Ian Currie

nAppliance TMG/UAG Appliances - EMEA
www.surefront.co.uk

(in reply to Jason Jones)
Post #: 9
RE: HTTP Filter Missing ISA2006 SP1 - 8.Aug.2008 6:51:54 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: IanC

quote:

ORIGINAL: Jason Jones

By disabling it again, won't this prevent the new HTTP filter settings from working though?


Don't forget, for Web Proxy clients, the HTTP filter will continue to do its job regardless of whether the Web Proxy filter is bound to the HTTP protocol.

Cheers

Ian 


What about reverse publishing rules which use the HTTP filter?

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to IanC)
Post #: 10
RE: HTTP Filter Missing ISA2006 SP1 - 8.Aug.2008 7:46:02 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,
quote:


quote:



ORIGINAL: IanC

quote:



ORIGINAL: Jason Jones

By disabling it again, won't this prevent the new HTTP filter settings from working though?


Don't forget, for Web Proxy clients, the HTTP filter will continue to do its job regardless of whether the Web Proxy filter is bound to the HTTP protocol.

Cheers

Ian 


What about reverse publishing rules which use the HTTP filter?


Iīm actually worried about this. I can still use the Configure HTTP context in my access rules (even after deassing web proxy filter from HTTP), but cannot in my web publishing rules.
Is this a normal behaviour or could not use it on any rule?

Regards,
Paulo Oliveira.

(in reply to Jason Jones)
Post #: 11
RE: HTTP Filter Missing ISA2006 SP1 - 8.Aug.2008 9:25:18 AM   
IanC

 

Posts: 338
Joined: 11.Jul.2007
From: UK
Status: offline
That is odd Paulo. 

I'm testing this on ISA 2006 pre-SP1 and everythings looks fine.  When I unbind the Web Proxy Filter, I lose the Configure HTTP option for access rules and publishing rules.  Also, the HTTP filter continues to function properly in both reverse and forward proxy scenarios.

Ian

_____________________________

Ian Currie

nAppliance TMG/UAG Appliances - EMEA
www.surefront.co.uk

(in reply to paulo.oliveira)
Post #: 12
RE: HTTP Filter Missing ISA2006 SP1 - 8.Aug.2008 10:38:56 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: IanC

That is odd Paulo. 

I'm testing this on ISA 2006 pre-SP1 and everythings looks fine.  When I unbind the Web Proxy Filter, I lose the Configure HTTP option for access rules and publishing rules.  Also, the HTTP filter continues to function properly in both reverse and forward proxy scenarios.

Ian


Cool...wouldn't have expected that, but good news! 

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to IanC)
Post #: 13
RE: HTTP Filter Missing ISA2006 SP1 - 8.Aug.2008 11:02:32 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi Ian,

I thought it too. Iīm still using ISA without SP1.

But great to know the filters are still apllying.

Regards,
Paulo Oliveira.

(in reply to IanC)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> HTTP Filter Missing ISA2006 SP1 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts