Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

The Mystery of the HTTP Redirector and Site&Content Rules article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Firewall] >> General >> The Mystery of the HTTP Redirector and Site&Content Rules article Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
The Mystery of the HTTP Redirector and Site&Content... - 16.Nov.2002 11:35:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		This thread is for The Mystery of the HTTP Redirector and Site&Content Rules article.

Thanks,
Stefaan

[ November 18, 2002, 08:29 PM: Message edited by: spouseele ]
Post #: 1
RE: The Mystery of the HTTP Redirector and Site&Con... - 18.Nov.2002 9:12:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline 		Finally an article that clearly explains how the HTTP redirector works. Nice work

(in reply to spouseele)
Post #: 2
RE: The Mystery of the HTTP Redirector and Site&Con... - 18.Nov.2002 9:36:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Skip,

thanks for the compliment! [Smile]

Stefaan

(in reply to spouseele)
Post #: 3
RE: The Mystery of the HTTP Redirector and Site&Con... - 18.Nov.2002 10:14:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

Very good! But I've noticed some very strange things happen when I disable the HTTP redirector. I'll have to work out the issues, but it doesn't seem to be a very functional configuration.

I've have to do more work with it, but I'll share the results when I figure out what's causing the failures.

Thanks!
Tom

(in reply to spouseele)
Post #: 4
RE: The Mystery of the HTTP Redirector and Site&Con... - 18.Nov.2002 10:23:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hey guys,

Well, I tried it again and it seems to be working OK [Big Grin]

So, what are the advantages of disabling the HTTP Redirector? You get Site and Content Rules to apply to HTTP requests, even if the browser is not configured as a Web Proxy client.

What is the major disadvantage of disabling the HTTP Redirector? You can *force* clients to use the Web Proxy service. The HTTP Redirector allows you to drop all requests from SecureNAT and Firewall clients.

Disabling the HTTP Redirector also prevents the Firewall and SecureNAT clients from being able to use the Web cache. So, you'll have to make all the clients Web Proxy clients. I think everyone should do this anyhow, so its not that big of a problem [Smile]

HTH,
Tom

(in reply to spouseele)
Post #: 5
RE: The Mystery of the HTTP Redirector and Site&Con... - 18.Nov.2002 11:03:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline 		Ya but what if you have a server that is published with a server publishing rule, and is configured as SNAT client. If the HTTP redirector is disabled will this prevent the server from accessing DNS records on the internet. My internal DNS server is configured as SNAT client, and it is setup to forward all request to my ISP that it cannot resolve. Do you think that disabling the HTTP redirector would prevent the internal DNS server from querying its forwarder?

(in reply to spouseele)
Post #: 6
RE: The Mystery of the HTTP Redirector and Site&Con... - 18.Nov.2002 11:32:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Skip,

How would the HTTP Redirector have any effect on DNS queries?

Thanks!
Tom

(in reply to spouseele)
Post #: 7
RE: The Mystery of the HTTP Redirector and Site&Con... - 18.Nov.2002 11:38:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline 		I guess it wouldnt. Just wanted to know what you think. Thansk for the reply

Skip

(in reply to spouseele)
Post #: 8
RE: The Mystery of the HTTP Redirector and Site&Con... - 19.Nov.2002 12:37:00 AM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Tom,

in the article I *only* investigated the HTTP Redirector with the configuration setting 'to Send to requested Web server'. In that particular configuration I believe it is better to *not* use the HTTP Redirector at all. In my opinion, Microsoft *should* have made the behaviour of the setting 'to Send to requested Web server' equal to disabling the HTTP Redirector so that the HTTP requests are just passed to the Firewall service. That would have been much less confusing! [Razz]

The other HTTP Redirector settings are indeed useful, particular if you can set it to 'reject all requests from SecureNAT and Firewall clients' and force the clients to use the Web Proxy service. But then, you are stuck with those nasty programs that don't behave very well. [Big Grin]

BTW --- I stole your brilliant idea to 'bind' a forum topic to an article! [Cool]

HTH,
Stefaan

(in reply to spouseele)
Post #: 9
RE: The Mystery of the HTTP Redirector and Site&Con... - 19.Nov.2002 3:01:00 AM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Stefaan,

Yes, in light of the "forward directly to server" setting, disabling the HTTP Redirector does appear to be better.

Great idea re: binding the articles to a thread [Smile] I've been trying to figure out how to do something like this for almost a year, and it only occured to me how to do it a few weeks ago! [Wink]

Tom

(in reply to spouseele)
Post #: 10
RE: The Mystery of the HTTP Redirector and Site&Con... - 20.Nov.2002 10:28:00 PM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline 		If my HTTP redirector is set to redirect to local web proxy service, and if not available send to web server, and i take out all the proxy settings in IE, and i have the firewall client installed, then i cant get out to the internet. I would think that if i dropped all connections from firewall client and SNAT client that this would be true. I do require athentification on my site and content rule, and protocol rules, for domain users. Is this the reason why i see this behavior?

Thanks for any help

(in reply to spouseele)
Post #: 11
RE: The Mystery of the HTTP Redirector and Site&Con... - 20.Nov.2002 11:48:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Skip,

yes, requests passing through the HTTP Redirector Filter have authentication information removed. So, if you don't have anonymous rules then no access is possible.

HTH,
Stefaan

(in reply to spouseele)
Post #: 12
RE: The Mystery of the HTTP Redirector and Site&Con... - 21.Nov.2002 12:04:00 AM   
skipster

 

Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline 		Thanks for the reply. So in my senario, what difference would it be if i disabled the HTTP redirector, or dropped all requests from SNAT and firewall clients? I think i would see the same behavior that i do now with the HTTP redirector enabled in the settings that i have for it now. It seems that if i require authentification in site and content and protocal rules, and clients are configured as firewall, and web proxy, and i take out proxy settings in IE, then request from firewall clients are dropped. SNAT clients can get out if i make a site and content rule, and protocal rule for their address set. So it seems that i am acomplishing the same thing if i had the HTTP redirector set to drop request. Let me know your thoughts.

thanks again

(in reply to spouseele)
Post #: 13
RE: The Mystery of the HTTP Redirector and Site&Con... - 21.Nov.2002 5:22:00 PM   
MCain

 

Posts: 85
Joined: 5.Sep.2002
From: New Jersey, USA
Status: offline 		Hi spouseele,

Thanks for writing that up! That HTTP Redirector is quite a piece of work and definitely deserves some attention. Good job!

-Matt

(in reply to spouseele)
Post #: 14
RE: The Mystery of the HTTP Redirector and Site&Con... - 21.Nov.2002 11:10:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Matt,

thanks for the kind words! [Smile]

Stefaan

(in reply to spouseele)
Post #: 15
RE: The Mystery of the HTTP Redirector and Site&Con... - 21.Nov.2002 11:27:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Skip,

if you disable the HTTP Redirector, then the Firewall service will process the request and apply the protocol and site&content rules defined.

However, if you configure the HTTP Redirector to discard HTTP requests from Firewall and SecureNAT clients, then even if all other ISA Server rules allow the request, the HTTP redirector filter should reject it. This essentially forces all clients who want to use HTTP to be set up as Web Proxy clients.

HTH,
Stefaan

(in reply to spouseele)
Post #: 16
RE: The Mystery of the HTTP Redirector and Site&Con... - 22.Nov.2002 9:07:00 PM   
gcjunior

 

Posts: 114
Joined: 28.Oct.2002
From: Belgium
Status: offline 		Stefaan,

well explained! Is this the result of the site and content discussion?

Regards

Geert

(in reply to spouseele)
Post #: 17
RE: The Mystery of the HTTP Redirector and Site&Con... - 22.Nov.2002 9:34:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Geert,

yep, I found that topic so interesting and the result so astonishing that it was worth a short tutorial to help the ISA server community. [Roll Eyes]

Thanks,
Stefaan

(in reply to spouseele)
Post #: 18
RE: The Mystery of the HTTP Redirector and Site&Con... - 4.Dec.2002 2:30:00 AM   
taylor_st

 

Posts: 5
Joined: 20.Nov.2002
From: Olympia Washington
Status: offline 		Once you disable the HTTP Redirector are the credentials provided by the firewall client available to be used by the Site&Content/Protocol Rules or does one still need to have anonymous rules defined. Example: If Netscape Users refuse the Logon Dialog Box when configured with ISA Proxy Server can I remove proxy settings from Netscape, install firewall client and make no changes to my existing Site&Content/Protocol Rules.

(in reply to spouseele)
Post #: 19
RE: The Mystery of the HTTP Redirector and Site&Con... - 4.Dec.2002 8:48:00 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi AdotA,

that's correct! But you must keep in mind that you are no longer passing through the web proxy service. Therefore the site&content rules only applies to the site part of the rule, not the content part.

HTH,
Stefaan

(in reply to spouseele)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Firewall] >> General >> The Mystery of the HTTP Redirector and Site&Content Rules article Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts