So has anyone had an unsuccessful uninstall of SP2?
We have the same problem, 502 Proxy Error. The HTTP request includes a non-supported header, when downloading files at constructware.com after installing SP2. However, we are a bit apprehensive about uninstalling since they don't usually go so smoothly. We have tried all the suggestions mentioned, except uninstalling, and nothing seems to work.
Has anybody who has talked to MS, heard if they were going to release a hotfix soon?
My uninstall went as smooth as the install. You have to be onsite to do it though (just in case you are thinking you want to save yourself the inconvenience). No residual problems noticed.
You know I could've (perhaps should've) called Microsoft on this but I didn't. It's a good point and someone who still has it installed and therefore can replicate the issue live with Product Support could call that free number:
"...Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses."
Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
Folks, you *must* call PSS and give them: - ISAInfo (http://isatools.org/isainfo/isainfo.zip) - ISA logging showing these errors - Network captures at the ISA external side
We (ISA Sustained Engineering) are trying to solve this now and the more data we get, the better our chances of solving it *right* the first time. PSS will not charge for the call because this is a known issue. The more data we have (especially where variations on a theme are seen) can only help.
For the record, the problem with www.delta.com and many other sites is not necessarily the same problem. The important part is the extra data in the ISA error. "502" is only an HTTP/1.1 "Bad Gateway" response. the ISA error (12217, 12202, etc.) and the detail text (not implemented, bad request, your feet smell, etc.) are the distinguishing elements between these issues.
Get the details - could be there is a better workaround than removing SP2.
Ok, as a note here, I think there is some confusion here because there are two different errors are being addresses in this same thread. 1) There is the error that is due to header compressions. The resolution to that error is to disable the compression filter.
2) The other error (*which I am experiencing) is different. This error is not resolved by disabling the filters. I have a case opened with MS. As stated by Microsoft the temporary workaround was to uninstall SP2. They told me that they are working on a fix to this problem but do not have a release date yet.
*See the example of the error below. www.delta.com Technical Information (for support personnel)
Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156) IP Address: 205.174.16.50 Date: 3/3/2006 7:40:49 PM Server: ******** Source: proxy
RESOLUTION: I have removed SP2 which has corrected this issue. (Note, while uninstalling SP2 I received and error message about RRAS and VPN which caused my SP2 uninstall to fail.
quote:
Product: Microsoft ISA Server 2004 -- Upgrading the Routing and Remote Access VPN configuration using unattended setup is not supported. To upgrade this configuration, you must run setup in attended mode and follow the instructions for upgrading these settings.
I disabled my VPN Client Access in ISA and then I was able to uninstall SP2 without a problem.)
Additionally as per Tom's suggestion, I have disabled these unneeded filters:
Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
** ACTION ** 1. Call PSS 2. Tell them I sent you 3. Ask for the fix for ISA SE 34978
** NOTE ** This fix is still undergoing internal testing. If you are not willing to participate in this hotfix testing, then please wait for the official fix.
** DISCUSSION (kinda involved, so you can skip it if you like) ** ISA responds to a request with "Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)". The likely reason for the behavior you're seeing in this case is that new logic that was added in ISA 2004 SP2 to mitigate HTTP request smuggling. The process for this attack is a bit involved and a whitepaper on the subject is available here: https://www.watchfire.com/securearea/whitepapers.aspx
RFC-2616 defines two headers; "content-length" and "transfer-encoding: chunked" for the same purpose; that of providing quantitative content validation for the receiver and states *very clearly* that the server MUST NOT combine them in the same response. If the server is configured such that it does violate this edict, RFC-2616 then requires the receiving entity to ignore the content-length value and instead use the chunked-encoding technique to validate the length of the HTTP body. This places a processing burden on the receiving entity (ISA, in this case), since a chunked-encoded transfer can't be quantitatively validated until the transfer is completed. In the case of a proxy, additional processing is imposed due to caching behavior that may be dependent on content-size.
The reason those sites are either failing outright (www.delta.com) or rendering poorly (www.sun.com) is because we chose to reject those responses entirely. Since RFC-2616 clearly states "don't combine those headers" and doing so is a demonstrably malicious act, it seemed unlikely that ISA would cause problems for any other than malicious sites, and in fact, our testing validated this belief. As it turns out, there are quite a few legitimate sites out there that violate this part of RFC-2616 and so we have had to rethink our answer to this problem.
Ok, as a note here, I think there is some confusion here because there are two different errors are being addresses in this same thread. 1) There is the error that is due to header compressions. The resolution to that error is to disable the compression filter.
2) The other error (*which I am experiencing) is different. This error is not resolved by disabling the filters. I have a case opened with MS. As stated by Microsoft the temporary workaround was to uninstall SP2. They told me that they are working on a fix to this problem but do not have a release date yet.
*See the example of the error below. www.delta.com Technical Information (for support personnel)
Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156) IP Address: 205.174.16.50 Date: 3/3/2006 7:40:49 PM Server: ******** Source: proxy
RESOLUTION: I have removed SP2 which has corrected this issue. (Note, while uninstalling SP2 I received and error message about RRAS and VPN which caused my SP2 uninstall to fail.
quote:
Product: Microsoft ISA Server 2004 -- Upgrading the Routing and Remote Access VPN configuration using unattended setup is not supported. To upgrade this configuration, you must run setup in attended mode and follow the instructions for upgrading these settings.
I disabled my VPN Client Access in ISA and then I was able to uninstall SP2 without a problem.)
Additionally as per Tom's suggestion, I have disabled these unneeded filters:
** ACTION ** 1. Call PSS 2. Tell them I sent you 3. Ask for the fix for ISA SE 34978
** NOTE ** This fix is still undergoing internal testing. If you are not willing to participate in this hotfix testing, then please wait for the official fix.
** DISCUSSION (kinda involved, so you can skip it if you like) ** ISA responds to a request with "Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)". The likely reason for the behavior you're seeing in this case is that new logic that was added in ISA 2004 SP2 to mitigate HTTP request smuggling. The process for this attack is a bit involved and a whitepaper on the subject is available here: https://www.watchfire.com/securearea/whitepapers.aspx
RFC-2616 defines two headers; "content-length" and "transfer-encoding: chunked" for the same purpose; that of providing quantitative content validation for the receiver and states *very clearly* that the server MUST NOT combine them in the same response. If the server is configured such that it does violate this edict, RFC-2616 then requires the receiving entity to ignore the content-length value and instead use the chunked-encoding technique to validate the length of the HTTP body. This places a processing burden on the receiving entity (ISA, in this case), since a chunked-encoded transfer can't be quantitatively validated until the transfer is completed. In the case of a proxy, additional processing is imposed due to caching behavior that may be dependent on content-size.
The reason those sites are either failing outright (www.delta.com) or rendering poorly (www.sun.com) is because we chose to reject those responses entirely. Since RFC-2616 clearly states "don't combine those headers" and doing so is a demonstrably malicious act, it seemed unlikely that ISA would cause problems for any other than malicious sites, and in fact, our testing validated this belief. As it turns out, there are quite a few legitimate sites out there that violate this part of RFC-2616 and so we have had to rethink our answer to this problem.
Hi Jim, Ah! I see you have it covered. Thanks! Tom
I talked to the Microsoft tech for an hour today and came up with this for my case...I disabled the DiffServ and Compression Web Filter under add-ins and it worked like a charm for my website that we needed to get to.
I called Microsoft today, as per Jim's and Sambo's post on March 2nd, and after a few hours of getting many logs, they called me back this afternoon with a .dll file to fix the problem, and it worked great. I'm assuming this is the same fix Jim has mentioned on March 5th.
We were having problems with www.delta.com and downloading files from www.constructware.com receiving the error "Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)".
I just called PSS and they said that the kb article was incorrect wich would make sence since this is supposed to be a private release.
I am against the wall because its my own Dean of the school that I work for that has the problem.. this is a big deal.
Could someone give me more info or other options in obtaining this pre-hotfix?
On another note, it see that its called: isa 2004 se 34978 , but I have Enterprise Edition. Is there a pre-hotfix verstion for EE or does the fix work with both versions?
I was also unable to get any kind of help from PSS. They very politely told me where I could shove it. No KB article, no fix. They didn't care what "some guy on the Internet" had to say about it. I called twice, talked to two different people, and got the same answer both times.
They opened a case for me, told me that a fix was in testing, and that they'd get back to me when it was publicly available. They were not willing to send me the test version that they've got now.
Is there any kind of an update on when the fix will be available? I really don't like the idea of uninstalling SP2, but we're getting more and more complaints as time goes on.
Error Code: 500 Internal Server Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156) It says, contact your ISA admin, and people do!
For all who are having trouble getting the private fix from PSS that Jim mentioned:
I called earlier this morning and was told the same thing, no article, no fix! However, after I called a second time and was firm about it, didn't really mention Jim's name, just said that a private hotfix was available and that I didn't believe I needed to pay for a known problem to be resolved, the guy on the other line helped me out. I did mention that I had heard about the fix on the microsoft support forum, not a thrid party ISA forum. Timothy (the customer service guy) obviously needed to verify the information and asked me for the website. The easiest way we found to do this was for him to send me a blank email that I used to reply with the link information. Here it is:
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> RE: Getting 502 proxy error after upgrading to SP2 
RE: Getting 502 proxy error after upgrading to SP2 - 
RE: Getting 502 proxy error after upgrading to SP2 - 
RE: "502 Proxy Error. The HTTP request includes a ... - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread