• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Getting 502 proxy error after upgrading to SP2

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> RE: Getting 502 proxy error after upgrading to SP2 Page: <<   < prev  1 2 [3] 4   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Getting 502 proxy error after upgrading to SP2 - 2.Mar.2006 5:16:33 PM   
bdy73

 

Posts: 8
Joined: 18.Jun.2001
From: Franklin, TN USA
Status: offline
yup.  I'm getting it to after installing SP2 trying to download firmware updates from Rockwell Software.  I'm uninstalling until this problem is fixed. 

(in reply to Raice)
Post #: 41
RE: Getting 502 proxy error after upgrading to SP2 - 2.Mar.2006 8:12:33 PM   
TroubleT77

 

Posts: 2
Joined: 2.Mar.2006
Status: offline
So has anyone had an unsuccessful uninstall of SP2? 

We have the same problem, 502 Proxy Error. The HTTP request includes a non-supported header, when downloading files at constructware.com after installing SP2.  However, we are a bit apprehensive about uninstalling since they don't usually go so smoothly.  We have tried all the suggestions mentioned, except uninstalling, and nothing seems to work.

Has anybody who has talked to MS, heard if they were going to release a hotfix soon?  


(in reply to bedpan)
Post #: 42
RE: Getting 502 proxy error after upgrading to SP2 - 2.Mar.2006 9:03:58 PM   
sambo

 

Posts: 12
Joined: 20.Jul.2005
From: Cincinnati, OH
Status: offline
My uninstall went as smooth as the install.  You have to be onsite to do it though (just in case you are thinking you want to save yourself the inconvenience).  No residual problems noticed.

You know I could've (perhaps should've) called Microsoft on this but I didn't.  It's a good point and someone who still has it installed and therefore can replicate the issue live with Product Support could call that free number:

"...Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses."

(in reply to TroubleT77)
Post #: 43
RE: Getting 502 proxy error after upgrading to SP2 - 2.Mar.2006 10:40:12 PM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
Folks, you *must* call PSS and give them:
- ISAInfo (http://isatools.org/isainfo/isainfo.zip)
- ISA logging showing these errors
- Network captures at the ISA external side

We (ISA Sustained Engineering) are trying to solve this now and the more data we get, the better our chances of solving it *right* the first time.  PSS will not charge for the call because this is a known issue.
The more data we have (especially where variations on a theme are seen) can only help.

For the record, the problem with www.delta.com and many other sites is not necessarily the same problem.  The important part is the extra data in the ISA error.  "502" is only an HTTP/1.1 "Bad Gateway" response.  the ISA error (12217, 12202, etc.) and the detail text (not implemented, bad request, your feet smell, etc.) are the distinguishing elements between these issues.

Get the details - could be there is a better workaround than removing SP2.

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to Raice)
Post #: 44
RE: Getting 502 proxy error after upgrading to SP2 - 2.Mar.2006 10:56:35 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

DO NOT REMOVE SP2.

Check here to fix any BO update related problems:

http://blogs.isaserver.org/shinder/news/2006/02/27/isa-firewall-sp-2-branch-office-features-turn-em-off/

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Raice)
Post #: 45
RE: Getting 502 proxy error after upgrading to SP2 - 3.Mar.2006 11:38:30 PM   
kenisswell

 

Posts: 29
Joined: 31.Dec.2005
Status: offline
quote:

Hey guys,
DO NOT REMOVE SP2.
Check here to fix any BO update related problems:
http://blogs.isaserver.org/shinder/news/2006/02/27/isa-firewall-sp-2-branch-office-features-turn-em-off/
HTH, Tom


Ok, as a note here, I think there is some confusion here because there are two different errors are being addresses in this same thread.
1) There is the error that is due to header compressions. The resolution to that error is to disable the compression filter.

2) The other error (*which I am experiencing) is different. This error is not resolved by disabling the filters. I have a case opened with MS. As stated by Microsoft the temporary workaround was to uninstall SP2. They told me that they are working on a fix to this problem but do not have a release date yet.

*See the example of the error below.
www.delta.com
Technical Information (for support personnel)

Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)
IP Address: 205.174.16.50
Date: 3/3/2006 7:40:49 PM
Server: ********
Source: proxy





    RESOLUTION:
    I have removed SP2 which has corrected this issue. (Note, while uninstalling SP2 I received and error message about RRAS and VPN which caused my SP2 uninstall to fail.
    quote:

    Product: Microsoft ISA Server 2004 --
    Upgrading the Routing and Remote Access VPN configuration using unattended setup is not supported.
    To upgrade this configuration, you must run setup in attended mode and follow the instructions for upgrading these settings.
    I disabled my VPN Client Access in ISA and then I was able to uninstall SP2 without a problem.)


    Additionally as per Tom's suggestion, I have disabled these unneeded filters:

    Differv Filter
    Compression Filter
    Caching Compressed Content Filter
    H.323 Filter
    SMTP Filter
    SOCSK v4 Filter


      Thanks,
      Ken

      < Message edited by kenisswell -- 3.Mar.2006 11:40:44 PM >

      (in reply to tshinder)
      Post #: 46
      "502 Proxy Error. The HTTP request includes a non-... - 5.Mar.2006 6:54:00 PM   
      Jim Harrison

       

      Posts: 271
      Joined: 5.May2001
      From: Redmond, WA
      Status: offline
      ** ACTION **
      1. Call PSS
      2. Tell them I sent you
      3. Ask for the fix for ISA SE 34978

      ** NOTE **
      This fix is still undergoing internal testing.  If you are not willing to participate in this hotfix testing, then please wait for
      the official fix.

      ** DISCUSSION (kinda involved, so you can skip it if you like) **
      ISA responds to a request with "Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)".
      The likely reason for the behavior you're seeing in this case is that new logic that was added in ISA 2004 SP2 to mitigate HTTP request smuggling. The process for this attack is a bit involved and a whitepaper on the subject is available here:
      https://www.watchfire.com/securearea/whitepapers.aspx

      RFC-2616 defines two headers; "content-length" and "transfer-encoding: chunked" for the same purpose; that of providing quantitative content validation for the receiver and states *very clearly* that the server MUST NOT combine them in the same response. If the server is configured such that it does violate this edict, RFC-2616 then requires the receiving entity to ignore the content-length value and instead use the chunked-encoding technique to validate the length of the HTTP body. This places a processing burden on the receiving entity (ISA, in this case), since a chunked-encoded transfer can't be quantitatively validated until the transfer is completed. In the case of a proxy, additional processing is imposed due to caching behavior that may be dependent on content-size.

      The reason those sites are either failing outright (www.delta.com) or rendering poorly (www.sun.com) is because we chose to reject those responses entirely. Since RFC-2616 clearly states "don't combine those headers" and doing so is a demonstrably malicious act, it seemed unlikely that ISA would cause problems for any other than malicious sites, and in fact, our testing validated this belief. As it turns out, there are quite a few legitimate sites out there that violate this part of RFC-2616 and so we have had to rethink our answer to this problem.



      _____________________________

      Jim Harrison
      MCP(NT4, W2K), A+, Network+, PCG
      My ISAServer.org Stuff
      My Site

      (in reply to kenisswell)
      Post #: 47
      RE: Getting 502 proxy error after upgrading to SP2 - 6.Mar.2006 2:52:34 PM   
      tshinder

       

      Posts: 50013
      Joined: 10.Jan.2001
      From: Texas
      Status: offline
      quote:

      ORIGINAL: kenisswell

      quote:

      Hey guys,
      DO NOT REMOVE SP2.
      Check here to fix any BO update related problems:
      http://blogs.isaserver.org/shinder/news/2006/02/27/isa-firewall-sp-2-branch-office-features-turn-em-off/
      HTH, Tom


      Ok, as a note here, I think there is some confusion here because there are two different errors are being addresses in this same thread.
      1) There is the error that is due to header compressions. The resolution to that error is to disable the compression filter.

      2) The other error (*which I am experiencing) is different. This error is not resolved by disabling the filters. I have a case opened with MS. As stated by Microsoft the temporary workaround was to uninstall SP2. They told me that they are working on a fix to this problem but do not have a release date yet.

      *See the example of the error below.
      www.delta.com
      Technical Information (for support personnel)

      Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)
      IP Address: 205.174.16.50
      Date: 3/3/2006 7:40:49 PM
      Server: ********
      Source: proxy





        RESOLUTION:
        I have removed SP2 which has corrected this issue. (Note, while uninstalling SP2 I received and error message about RRAS and VPN which caused my SP2 uninstall to fail.
        quote:

        Product: Microsoft ISA Server 2004 --
        Upgrading the Routing and Remote Access VPN configuration using unattended setup is not supported.
        To upgrade this configuration, you must run setup in attended mode and follow the instructions for upgrading these settings.
        I disabled my VPN Client Access in ISA and then I was able to uninstall SP2 without a problem.)


        Additionally as per Tom's suggestion, I have disabled these unneeded filters:

        Differv Filter
        Compression Filter
        Caching Compressed Content Filter
        H.323 Filter
        SMTP Filter
        SOCSK v4 Filter



          Thanks,
          Ken


          Hi Ken,
          Yes, I just became aware of this myself and I'll put a note in my blog regarding this.
          Thanks!
          Tom

          _____________________________

          Thomas W Shinder, M.D.

          (in reply to kenisswell)
          Post #: 48
          RE: "502 Proxy Error. The HTTP request includes a ... - 6.Mar.2006 2:53:32 PM   
          tshinder

           

          Posts: 50013
          Joined: 10.Jan.2001
          From: Texas
          Status: offline
          quote:

          ORIGINAL: Jim Harrison

          ** ACTION **
          1. Call PSS
          2. Tell them I sent you
          3. Ask for the fix for ISA SE 34978

          ** NOTE **
          This fix is still undergoing internal testing.  If you are not willing to participate in this hotfix testing, then please wait for
          the official fix.

          ** DISCUSSION (kinda involved, so you can skip it if you like) **
          ISA responds to a request with "Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)".
          The likely reason for the behavior you're seeing in this case is that new logic that was added in ISA 2004 SP2 to mitigate HTTP request smuggling. The process for this attack is a bit involved and a whitepaper on the subject is available here:
          https://www.watchfire.com/securearea/whitepapers.aspx

          RFC-2616 defines two headers; "content-length" and "transfer-encoding: chunked" for the same purpose; that of providing quantitative content validation for the receiver and states *very clearly* that the server MUST NOT combine them in the same response. If the server is configured such that it does violate this edict, RFC-2616 then requires the receiving entity to ignore the content-length value and instead use the chunked-encoding technique to validate the length of the HTTP body. This places a processing burden on the receiving entity (ISA, in this case), since a chunked-encoded transfer can't be quantitatively validated until the transfer is completed. In the case of a proxy, additional processing is imposed due to caching behavior that may be dependent on content-size.

          The reason those sites are either failing outright (www.delta.com) or rendering poorly (www.sun.com) is because we chose to reject those responses entirely. Since RFC-2616 clearly states "don't combine those headers" and doing so is a demonstrably malicious act, it seemed unlikely that ISA would cause problems for any other than malicious sites, and in fact, our testing validated this belief. As it turns out, there are quite a few legitimate sites out there that violate this part of RFC-2616 and so we have had to rethink our answer to this problem.




          Hi Jim,
          Ah! I see you have it covered.
          Thanks!
          Tom

          _____________________________

          Thomas W Shinder, M.D.

          (in reply to Jim Harrison)
          Post #: 49
          RE: "502 Proxy Error. The HTTP request includes a ... - 6.Mar.2006 6:14:49 PM   
          rkrall

           

          Posts: 2
          Joined: 6.Mar.2006
          Status: offline
          I talked to the Microsoft tech for an hour today and came up with this for my case...I disabled the DiffServ and Compression Web Filter under add-ins and it worked like a charm for my website that we needed to get to.

          (in reply to tshinder)
          Post #: 50
          RE: "502 Proxy Error. The HTTP request includes a ... - 7.Mar.2006 12:06:36 AM   
          TroubleT77

           

          Posts: 2
          Joined: 2.Mar.2006
          Status: offline
          I called Microsoft today, as per Jim's and Sambo's post on March 2nd, and after a few hours of getting many logs, they called me back this afternoon with a .dll file to fix the problem, and it worked great. I'm assuming this is the same fix Jim has mentioned on March 5th.

          We were having problems with www.delta.com and downloading files from www.constructware.com receiving the error "Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)".

          Thanks for the all your help!

          (in reply to rkrall)
          Post #: 51
          RE: "502 Proxy Error. The HTTP request includes a ... - 8.Mar.2006 4:32:13 AM   
          william_delgado

           

          Posts: 2
          Joined: 4.Mar.2003
          Status: offline
          Hello,

          I just called PSS and they said that the kb article was incorrect wich would make sence since this is supposed to be a private release.

          I am against the wall because its my own Dean of the school that I work for that has the problem.. this is a big deal.

          Could someone give me more info or other options in obtaining this pre-hotfix?

          On another note, it see that its called: isa 2004 se 34978 , but I have Enterprise Edition. Is there a pre-hotfix verstion for EE or does the fix work with both versions?

          Thank you all!..


          (in reply to TroubleT77)
          Post #: 52
          RE: "502 Proxy Error. The HTTP request includes a ... - 8.Mar.2006 10:06:01 PM   
          frond

           

          Posts: 8
          Joined: 29.Jul.2004
          Status: offline
          I was also unable to get any kind of help from PSS.  They very politely told me where I could shove it.  No KB article, no fix.  They didn't care what "some guy on the Internet" had to say about it.  I called twice, talked to two different people, and got the same answer both times.

          They opened a case for me, told me that a fix was in testing, and that they'd get back to me when it was publicly available.  They were not willing to send me the test version that they've got now.

          Is there any kind of an update on when the fix will be available?  I really don't like the idea of uninstalling SP2, but we're getting more and more complaints as time goes on.

          (in reply to william_delgado)
          Post #: 53
          RE: Getting 502 proxy error after upgrading to SP2 - 9.Mar.2006 9:20:21 AM   
          onerod

           

          Posts: 11
          Joined: 11.Nov.2005
          Status: offline
          I'm glad I'm not the only one facing this problem.
          For instance, this link is giving me trouble: http://wm.quest.com/library/getdocument.asp?target=gpmds
          Disabling HTTP-compression does not work for me.

          Man, I hope a patch will soon show up.

          Error Code: 500 Internal Server Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)
          It says, contact your ISA admin, and people do!

          (in reply to bedpan)
          Post #: 54
          RE: Getting 502 proxy error after upgrading to SP2 - 9.Mar.2006 12:29:23 PM   
          Elguapo

           

          Posts: 1
          Joined: 9.Mar.2006
          Status: offline
          Hi,

          Since the SP2 install on our ISA server this week I receive the described error only for images on a very important website for our office:

          Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)

          So far the problem seems to show up only on that particular site...Before the SP2 install everything worked fine, so the cause seems to be clear.

          Some one knows a good solution / workaround? (uninstall SP2 is not an option)

          Greetz,

          E.

          (in reply to onerod)
          Post #: 55
          RE: "502 Proxy Error. The HTTP request includes a ... - 9.Mar.2006 6:41:32 PM   
          sf_boy

           

          Posts: 1
          Joined: 9.Mar.2006
          Status: offline
          For all who are having trouble getting the private fix from PSS that Jim mentioned:

          I called earlier this morning and was told the same thing, no article, no fix!  However, after I called a second time and was firm about it, didn't really mention Jim's name, just said that a private hotfix was available and that I didn't believe I needed to pay for a known problem to be resolved, the guy on the other line helped me out.  I did mention that I had heard about the fix on the microsoft support forum, not a thrid party ISA forum.  Timothy (the customer service guy) obviously needed to verify the information and asked me for the website.  The easiest way we found to do this was for him to send me a blank email that I used to reply with the link information.  Here it is:

          http://support.microsoft.com/newsgroups/?pr=815
           
          Servers ISA Servers >> ISA Server General
           
          Subject: "502 Proxy Error. The HTTP request includes a non-supported header" - private fix available from PSS
          by Jim Harrison
           
          Gave him that information and he was able to verify.  From here it was just a matter of "a technician" sending me the hotfix.
           
          Good luck all and thanks for the information that got me the solution.

          (in reply to frond)
          Post #: 56
          RE: "502 Proxy Error. The HTTP request includes a ... - 13.Mar.2006 4:32:25 PM   
          frond

           

          Posts: 8
          Joined: 29.Jul.2004
          Status: offline
          Our support engineer just sent us a link to download the hotfix, so I guess it's been publicly released now.  KB article 915045.

          (in reply to sf_boy)
          Post #: 57
          RE: "502 Proxy Error. The HTTP request includes a ... - 15.Mar.2006 11:29:42 AM   
          elmajdal

           

          Posts: 6022
          Joined: 16.Sep.2004
          From: Lebanese in Kuwait
          Status: offline
          hi ,

          ISA 2004 SP2 Hotfix Available

          http://blogs.isaserver.org/shinder/2006/03/13/isa-2004-sp2-hotfix-available/

          not yet release officially till this time ( 1:29 pm +3Hours GMT )

          _____________________________

          Tarek Majdalani

          Windows Expert - IT Pro MVP
          Facebook : https://www.facebook.com/ElMajdal.Net

          (in reply to frond)
          Post #: 58
          RE: "502 Proxy Error. The HTTP request includes a ... - 29.Mar.2006 10:55:00 PM   
          intoran

           

          Posts: 8
          Joined: 26.Jul.2001
          Status: offline
          Can anyone provide me with a link to this fix?

          (in reply to elmajdal)
          Post #: 59
          RE: "502 Proxy Error. The HTTP request includes a ... - 29.Mar.2006 11:00:51 PM   
          elmajdal

           

          Posts: 6022
          Joined: 16.Sep.2004
          From: Lebanese in Kuwait
          Status: offline
          as i said , not yet officially Available , u have to contact M$ to get it for the time being , or u can wait until its available officially.

          _____________________________

          Tarek Majdalani

          Windows Expert - IT Pro MVP
          Facebook : https://www.facebook.com/ElMajdal.Net

          (in reply to intoran)
          Post #: 60

          Page:   <<   < prev  1 2 [3] 4   next >   >> << Older Topic    Newer Topic >>
          All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> RE: Getting 502 proxy error after upgrading to SP2 Page: <<   < prev  1 2 [3] 4   next >   >>
          Jump to:

          New Messages No New Messages
          Hot Topic w/ New Messages Hot Topic w/o New Messages
          Locked w/ New Messages Locked w/o New Messages
           Post New Thread
           Reply to Message
           Post New Poll
           Submit Vote
           Delete My Own Post
           Delete My Own Thread
           Rate Posts