Doc Dish -> PKI Web traffic (15.Nov.2011 8:14:10 AM)
Hi, we use a single-homed ISA 2006 server as a Web Proxy through which most Web traffic is only permitted if the user authenticates (MS Integrated authentication) and the user's account is in a certain group.
We had a situation whereby some accounts not in the Web access group needed to download certificate revocation lists from Verisign or root certificate updates from Windows Update, so I created a rule above the 'general' Web access rule that permitted unauthenticated HTTP traffic to 'http://*.microsoft.com/*', 'http://*.windowsupdate.com/*' and 'http://*.verisign.com/*' and used the HTTP policy to restrict this rule to only permit certain extensions (.cab, .cer, .crl, .crt & .txt).
Unfortunately this rule dropped all traffic from the URL set that didn't have one of the listed extensions. I removed the file extensions from the HTTP policy and added them to a custom 'Content Types' set and restricted the rule to that instead.
If I view the logs for traffic being passed by this rule, I see connections being allowed for traffic that I don't think should be. Could anyone suggest why this might be? An example is given below.
Log type: Web Proxy (Forward)
Status: 204 No Content
Rule: PKI downloads
Source: Internal ([i]IP address[/i])
Destination: Internal (126.96.36.199:80)
Request: GET http://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=1&fmt=1&type=3&group=MapControl&name=AJAX&version=6.3.20091207154938.04&session=1321360235304&mkt=en-us&auth=Aui94xg26tf6tTtmHozD8wfoGtkl8mkMKEZW0Qb_fyNTFmjUE2W94DgoPuQ_07T2&&jsonp=LogCredCB1321361229734&
Filter information: Req ID: 1d2ee969; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40040000 (Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header. Response should not be cached.)
Processing time: 93 MIME type: