Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Microsoft's suggested Activesync HTTP filter does not work

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> Microsoft's suggested Activesync HTTP filter does not work Page: [1]
Login
Message << Older Topic   Newer Topic >>
Microsoft's suggested Activesync HTTP filter does not work - 19.Sep.2006 9:50:38 PM   
chrisnet

 

Posts: 7
Joined: 20.Jul.2006
Status: offline 		Great site Tom. Definitely the place to go for ISA education.

I found a problem with the HTTP filter related to Activesync in particular. I only found one other user on the internet who also asked this question but for ISA 2004 so the problem may have been around for a while.

I have one listener and web publishing rule setup for RPC over HTTP/Activesync. I wanted to turn on the HTTP filter for these two services. I did so according to Microsoft's suggestions:

http://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx

There is a chart there with the HTTP filtering settings for Exchange services, including Activesync and RPC over HTTP. According to these suggestions, you can deny all extensions except .dll for RPC over HTTP and .(dot) for Activesync.

The suggestion for RPC over HTTP does work. You can limit to just the .dll extension and everything is fine. However, allowing only the additional .(dot) does not result in Activesync working. You will get a "Denied Connection" in the log for all Activesync attempts. Removing the extension restrictions causes Activesync to function normally.

Therefore, for now, instead of limiting to just .dll and .(dot), I am blocking most other extensions. However, I would definitely like to know the exact correct extensions that Activesync uses so I can explicitly limit to just .dll and whatever Activesync needs.

If anyone has experimented and got this right, please let me know. It would also be great to get an update from Microsoft as well.

Thanks,

Chris
Post #: 1
RE: Microsoft's suggested Activesync HTTP filter does n... - 20.Sep.2006 5:05:29 AM   
tshinder

 

Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Chris,

Thanks for the kind words about the site.

I'm not clear what is blocking your ActiveSync. What type of entry in the HTTP Security Filter is blocking ActiveSync? I'm not sure what you mean by .dll (dot).

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls

(in reply to chrisnet)
Post #: 2
RE: Microsoft's suggested Activesync HTTP filter does n... - 20.Sep.2006 5:38:10 PM   
chrisnet

 

Posts: 7
Joined: 20.Jul.2006
Status: offline 		In the HTTP filter, one of the tabs is Extensions. You can either Allow all Extensions, Allow only the Following Extensions, or Deny the Following Extensions. Microsoft recommends that for RPC over HTTP, you select Allow only the Following Extensions and enter only .dll. That is the only extension needed for RPC over HTTP. That works perfectly.

In the same document (http://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx), for Activesync, Microsoft recommends again selecting Allow only the Following Extensions, but entering only .(dot)
This does not work and all Activesync connections are then denied. Therefore, either Activesync is using additional extensions or the filter is incorrectly identifying the traffic extensions and consequently denying it.

Thanks again for the help.

(in reply to tshinder)
Post #: 3
RE: Microsoft's suggested Activesync HTTP filter does n... - 21.Sep.2006 2:28:55 PM   
tshinder

 

Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Chris,

OK, I get it.

Try the OMA settings and see if those work.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls

(in reply to chrisnet)
Post #: 4
RE: Microsoft's suggested Activesync HTTP filter does n... - 21.Sep.2006 4:16:36 PM   
chrisnet

 

Posts: 7
Joined: 20.Jul.2006
Status: offline 		That's pretty much what I did and its OK.

If you ever hear of anything more specific to Activesync (I know you would know first) then please also let the community know.

Thanks for your responses and again for the site. Your articles were critical in choosing and setting up ISA and I am really glad that we did.

Chris

(in reply to tshinder)
Post #: 5
RE: Microsoft's suggested Activesync HTTP filter does n... - 23.Sep.2006 5:21:37 PM   
tshinder

 

Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Chris,

Thanks! I'm glad that it working and I'll follow up on this and see if there's any new info on ActiveSync.

Tom

_____________________________

Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls

(in reply to chrisnet)
Post #: 6
RE: Microsoft's suggested Activesync HTTP filter does n... - 28.Sep.2006 1:04:28 AM   
Jason Jones

 

Posts: 1579
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		I have used the MS recommendations with great success for ActiveSync - check here: http://www.microsoft.com/technet/isa/2004/plan/firewall-exchange2003.mspx

The only issue with these settings is that they block Windows Mobile 5.0 clients unless you disable to "block executables" part of the HTTP filter for your ActiveSync rule. Windows Mobile 2003 seems unaffected by by this settings, but v5.0 does.

HTH

JJ

_____________________________

Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/

Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 7
RE: Microsoft's suggested Activesync HTTP filter does n... - 28.Sep.2006 5:20:02 PM   
tshinder

 

Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Jason,

Nice tip!
Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls

(in reply to Jason Jones)
Post #: 8
RE: Microsoft's suggested Activesync HTTP filter does n... - 29.Sep.2006 12:06:47 AM   
Jason Jones

 

Posts: 1579
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Still need to define a good baseline HTTP filter for Sharepoint....

_____________________________

Jason Jones
Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/

Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> HTTP Filtering >> Microsoft's suggested Activesync HTTP filter does not work Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts