Microsoft's suggested Activesync HTTP filter does not work

Microsoft's suggested Activesync HTTP filter does not work (Full Version)

All Forums >> [ISA 2006 Firewall] >> HTTP Filtering

Message

chrisnet -> Microsoft's suggested Activesync HTTP filter does not work (19.Sep.2006 9:50:38 PM)
Great site Tom. Definitely the place to go for ISA education. I found a problem with the HTTP filter related to Activesync in particular. I only found one other user on the internet who also asked this question but for ISA 2004 so the problem may have been around for a while. I have one listener and web publishing rule setup for RPC over HTTP/Activesync. I wanted to turn on the HTTP filter for these two services. I did so according to Microsoft's suggestions: http://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx There is a chart there with the HTTP filtering settings for Exchange services, including Activesync and RPC over HTTP. According to these suggestions, you can deny all extensions except .dll for RPC over HTTP and .(dot) for Activesync. The suggestion for RPC over HTTP does work. You can limit to just the .dll extension and everything is fine. However, allowing only the additional .(dot) does not result in Activesync working. You will get a "Denied Connection" in the log for all Activesync attempts. Removing the extension restrictions causes Activesync to function normally. Therefore, for now, instead of limiting to just .dll and .(dot), I am blocking most other extensions. However, I would definitely like to know the exact correct extensions that Activesync uses so I can explicitly limit to just .dll and whatever Activesync needs. If anyone has experimented and got this right, please let me know. It would also be great to get an update from Microsoft as well. Thanks, Chris

tshinder -> RE: Microsoft's suggested Activesync HTTP filter does not work (20.Sep.2006 5:05:29 AM)
Hi Chris, Thanks for the kind words about the site. [:)] I'm not clear what is blocking your ActiveSync. What type of entry in the HTTP Security Filter is blocking ActiveSync? I'm not sure what you mean by .dll (dot). Thanks! Tom

chrisnet -> RE: Microsoft's suggested Activesync HTTP filter does not work (20.Sep.2006 5:38:10 PM)
In the HTTP filter, one of the tabs is Extensions. You can either Allow all Extensions, Allow only the Following Extensions, or Deny the Following Extensions. Microsoft recommends that for RPC over HTTP, you select Allow only the Following Extensions and enter only .dll. That is the only extension needed for RPC over HTTP. That works perfectly. In the same document (http://www.microsoft.com/technet/isa/2004/plan/httpfiltering.mspx), for Activesync, Microsoft recommends again selecting Allow only the Following Extensions, but entering only .(dot) This does not work and all Activesync connections are then denied. Therefore, either Activesync is using additional extensions or the filter is incorrectly identifying the traffic extensions and consequently denying it. Thanks again for the help.

tshinder -> RE: Microsoft's suggested Activesync HTTP filter does not work (21.Sep.2006 2:28:55 PM)
Hi Chris, OK, I get it. Try the OMA settings and see if those work. Thanks! Tom

chrisnet -> RE: Microsoft's suggested Activesync HTTP filter does not work (21.Sep.2006 4:16:36 PM)
That's pretty much what I did and its OK. If you ever hear of anything more specific to Activesync (I know you would know first) then please also let the community know. Thanks for your responses and again for the site. Your articles were critical in choosing and setting up ISA and I am really glad that we did. Chris

tshinder -> RE: Microsoft's suggested Activesync HTTP filter does not work (23.Sep.2006 5:21:37 PM)
Hi Chris, Thanks! I'm glad that it working and I'll follow up on this and see if there's any new info on ActiveSync. Tom

Jason Jones -> RE: Microsoft's suggested Activesync HTTP filter does not work (28.Sep.2006 1:04:28 AM)
I have used the MS recommendations with great success for ActiveSync - check here: http://www.microsoft.com/technet/isa/2004/plan/firewall-exchange2003.mspx The only issue with these settings is that they block Windows Mobile 5.0 clients unless you disable to "block executables" part of the HTTP filter for your ActiveSync rule. Windows Mobile 2003 seems unaffected by by this settings, but v5.0 does. HTH JJ

tshinder -> RE: Microsoft's suggested Activesync HTTP filter does not work (28.Sep.2006 5:20:02 PM)
Hi Jason, Nice tip! Thanks! Tom

Jason Jones -> RE: Microsoft's suggested Activesync HTTP filter does not work (29.Sep.2006 12:06:47 AM)
Still need to define a good baseline HTTP filter for Sharepoint....

Page: [1]