Welcome to ISAserver.org

Understanding web publishing and http requests

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2000 General] >> Web Publishing >> Understanding web publishing and http requests

Page: [1]

Message

<< Older Topic Newer Topic >>

Understanding web publishing and http requests - 19.Dec.2007 6:21:42 AM

MIA

Posts: 7
Joined: 19.Oct.2007
Status: offline

Hi,
We've recently had a pen test on our dmz which flagged up a couple of issues that I've not been able to fully resolve. We have a W2k3 IIS server in a dmz behind another external facing W2k3 server running ISA 2k. We also have an internal facing W2k3 running ISA 2k but that is not relevant
The main issue is that, using tools such as netcat/ nessus and wfetch, I am able to get a response from a TRACE request. The response is HTTP/1.1 200 OK whereas it should be HTTP/1.1 501 Not Implemented (which is the response we get on our internal dev server). I have put in place various recommended fixes but am still getting the OK response. I have built the webserver as a standalone clone and ran tests against it which have proved inconclusive. The difference here is that on our live sever we have an ISA 2k whereas on the dev and testing server are not.
My question is this:
How does the web publishing handle http requests such as TRACE? Could it be the ISA server that is responding with the OK?
Please feel free to ask questions if I've not given enough info.
Many thanks

Post #: 1

Featured Links*

RE: Understanding web publishing and http requests - 19.Dec.2007 10:23:10 PM

AHIT

Posts: 1554
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

<blink> <blink>
errmm... absolutely no idea!

I've got to admit I've never delved to using these test tools with respect to trace. Perhaps ISA's web publishing performs the echo function (in trace) to say "yep, I can hear your request to this URL" but doesn't actually pass it on to the internal server?? whereas a normal GET request would contact the actual published server?? I'm grasping at straws here.

I think I'll try and messge Mr.Shinder to get his learned opinion.

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to MIA)

Post #: 2

RE: Understanding web publishing and http requests - 20.Dec.2007 5:33:32 AM

MIA

Posts: 7
Joined: 19.Oct.2007
Status: offline

;-)
I must admit it's an obscure one! Thanks for the response anyway - I was thinking along the same lines in that the ISA is answering the trace and not fwding it on. I'm just in the process of doing some packet sniffing and anlalysis also to see if this gives me any more info.

(in reply to AHIT)

Post #: 3

RE: Understanding web publishing and http requests - 30.Dec.2007 11:33:27 PM

AHIT

Posts: 1554
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

Of interest.. had any joy with this one as it does intrigue me somewhat..
I "paged" Tom but obviously he haasnt checked out this thread yet... or quietly ignored it :)

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to MIA)

Post #: 4

RE: Understanding web publishing and http requests - 2.Jan.2008 5:12:11 AM

MIA

Posts: 7
Joined: 19.Oct.2007
Status: offline

Hi, 1st day back after that Christmas holidays so just getting back into the swing of things. I've ran some tests on the following scenarios:
1. A test build of the live webserver created using a backup copy.
2. A dev webserver
3. The live webserver via an external facing ISA 2k route
4. The live webserver via LAN/ DMZ route which goes through the internal facing ISA 2k
and looked at both the urlscan and w3svc logs.
For the urlscan logs, on all servers that there were entries such as:
Sent verb 'TRACE', which is not specifically allowed. Request will be rejected.
except when going via the external ISA2k route
For the W3 svc logs I could also see relevant entries except when going via the external ISA 2k. It's important to note that the internal and external ISA 2k have different rules so the log files will behave differently!
So my initial conclusions are that this is something to do with the external facing ISA 2k. I have some packets to analyse but not sure how much more info that will give me.
We're looking at upgrading to ISA2k6 anyway so this should speed up the process a little more as I believe there are more filtering features that should help.
Cheers

(in reply to AHIT)

Post #: 5

RE: Understanding web publishing and http requests - 27.Apr.2008 7:03:24 AM

AHIT

Posts: 1554
Joined: 22.Jul.2002
From: Sydney, Australia
Status: offline

howd this end up?

_____________________________

http://www.ahit.com.au/isa
(Previous nick: Tolk)

(in reply to MIA)

Post #: 6

RE: Understanding web publishing and http requests - 8.May2008 9:16:05 AM

MIA

Posts: 7
Joined: 19.Oct.2007
Status: offline

Hi, sorry for the dealy in replying but had to trawl thru emails to find out what i did to fix!

Essentially the ISA server was handling the requests and I ended up installing URLScan for ISA (which I didn't know existed!). This sorted the problem out.
I found a similar post here;
http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2004-02/0267.html

So there you go....

(in reply to AHIT)

Post #: 7

RE: Understanding web publishing and http requests - 14.May2008 11:04:58 PM