• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2006 leak internal IP address

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> General >> ISA 2006 leak internal IP address Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2006 leak internal IP address - 6.Nov.2009 5:09:30 AM   
frankt

 

Posts: 3
Joined: 6.Nov.2009
Status: offline
Hi, I've searched for an answer everywhere but so far found nothing.

We are publishing a web server and redirecting http access to https.

However, if you connect (e.g. telnet) to the ISA server on port 80 and issue
GET / HTTP/1.0

you get a 302 Object Moved redirect with a location header of
Location: https://internal_IP_address/

Does anyone know how I can prevent the leak of the internal IP address? I've fixed similar issues from an IIS angle where you can use an IIS admin script to set either usehostname or sethostname. But I don't see how I can apply this to an ISA server.

Many thanks

Frank
Post #: 1
RE: ISA 2006 leak internal IP address - 6.Nov.2009 7:23:28 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
You may be able to do this with the HTTP filter.

This concept may help:

http://tmgblog.richardhicks.com/2009/03/27/using-the-isa-http-filter-to-modify-via-headers-and-prevent-information-disclosure/

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to frankt)
Post #: 2
RE: ISA 2006 leak internal IP address - 6.Nov.2009 7:52:28 AM   
frankt

 

Posts: 3
Joined: 6.Nov.2009
Status: offline
Hi... thanks for that. I did look at the http filter and thought that the only chance I had was on the signatures tab and trying to block it there. However nothing I tried seemed to make any difference.
I wondered whether it was because the response was coming from ISA itself rather than the site being proxied; perhaps it wasn't intercepting at the right point. I believe that the redirect (which includes the IP address) is being inserted by ISA.
FWIW, I am using the http filter to block the web server header which is working fine.

Can anyone else confirm that this they get the same response from ISA in the given scenario?

Thanks again

(in reply to Jason Jones)
Post #: 3
RE: ISA 2006 leak internal IP address - 6.Nov.2009 4:05:17 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Hi Frank,

The LOCATION header included with an HTTP 302 'Object Moved' response is generated by either the web server or by the actual web page itself (e.g. using Response.Redirect in ASP).  Conceivably you could use the HTTP filter to modify the response, however, I am not aware of any way to alter request or response headers other than the SERVER and VIA headers.  You can allow and deny them selectively, but that doesn't really solve your problem here.  It might be possible to do this with a third-party plug-in, but I don't specifically know of one. 

The best solution would be to perform the protocol redirection with ISA (configure bridging to redirect HTTP requests to HTTPS), or have your web server administrator or the application developer change the redirect to use the public host name instead of the private host name.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to frankt)
Post #: 4
RE: ISA 2006 leak internal IP address - 10.Nov.2009 3:39:24 AM   
frankt

 

Posts: 3
Joined: 6.Nov.2009
Status: offline
Thanks for posting Richard but I am using bridging. It might help if I explain more about my scenario.

I am terminating SSL at the proxy server like this:
Client <--https--> ISA 2006 <--http--> server
Within the proxy rule, I have the bridging tab set to redirect to port 80 on the internal web server, so I'm pretty sure that the redirect is not coming from the internal web server.

On the listener properties, I have the "connections" tab set to enable both port 80 and 443 and "HTTP to HTTPS redirection" set to redirect all traffic from http to https (the bottom option).

What I believe is happening is that the listener is doing what it's told, i.e. redirect all traffic to port 443. On a HTTP/1.1 request, that's fine because the request needs to specify a host (well.. a properly formed HTTP/1.1 request will specify it) so ISA can construct the correct location header. However, with HTTP/1.0, there is no such host entry so ISA can only redirect to what it knows and because it's a protocol shift (from http to https), the redirect cannot be relative. So it returns a new location entry of "https://IP_ADDRESS" - which is not good

(in reply to richardhicks)
Post #: 5
RE: ISA 2006 leak internal IP address - 22.Oct.2010 12:55:45 PM   
keithab

 

Posts: 1
Joined: 22.Oct.2010
Status: offline
I know this thread is old but I just had a case similar to this. The solution is to not use "Require All Users to Authenticate" on the Listener tab. Let the rule require authentication by putting something such as "All Authenticated Users" in the Users tab.

Regards,

Keith A. Abluton

(in reply to frankt)
Post #: 6
RE: ISA 2006 leak internal IP address - 23.Oct.2010 2:07:10 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
I saw this thread because of Keith's update, so now I am obliged to comment on Richard's comment:
quote:

I am not aware of any way to alter request or response headers other than the SERVER and VIA headers.  You can allow and deny them selectively, but that doesn't really solve your problem here.  It might be possible to do this with a third-party plug-in, but I don't specifically know of one. 


This is why we made IsaScript.  Of course any solution that saves you having to use a third party filter would be a win.  If you can avoid the problem behavior entirely then great!

(in reply to frankt)
Post #: 7
RE: ISA 2006 leak internal IP address - 23.Oct.2010 5:16:30 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Excellent point, Greg!

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to ferrix)
Post #: 8
RE: ISA 2006 leak internal IP address - 13.Mar.2014 10:38:16 AM   
paul_psmith

 

Posts: 79
Joined: 2.Nov.2006
Status: offline
Yes. This post is pretty old, but searching around for any info on it does not provide anything I can use. I have tried all of the suggestions above and now have worked.

We still get the Location: http://internalIP/ when doing a pentest.

Edit: FYI...the IP address that shows is the IP of the listener on the TMG array. Not a web servers IP.

What it really looks like to me is that the TMG server is really doing this before it even passes the policy. So adding HTTP filters to the policies does not wirk.

We also do have the All Users Must Authenticate set in the listener.

I don't want to buy any third party software either as TMG is basically dead after this and we will be replacing it in a few years anyway.

Does anyone have a good solution for this?

Thanks!
Paul

< Message edited by paul_psmith -- 13.Mar.2014 10:44:32 AM >

(in reply to richardhicks)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> General >> ISA 2006 leak internal IP address Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts