PKI Web traffic (Full Version)

All Forums >> [ISA 2006 Firewall] >> HTTP Filtering


Doc Dish -> PKI Web traffic (15.Nov.2011 8:14:10 AM)

Hi, we use a single-homed ISA 2006 server as a Web Proxy through which most Web traffic is only permitted if the user authenticates (MS Integrated authentication) and the user's account is in a certain group.

We had a situation whereby some accounts not in the Web access group needed to download certificate revocation lists from Verisign or root certificate updates from Windows Update, so I created a rule above the 'general' Web access rule that permitted unauthenticated HTTP traffic to 'http://**', 'http://**' and 'http://**' and used the HTTP policy to restrict this rule to only permit certain extensions (.cab, .cer, .crl, .crt & .txt).

Unfortunately this rule dropped all traffic from the URL set that didn't have one of the listed extensions. I removed the file extensions from the HTTP policy and added them to a custom 'Content Types' set and restricted the rule to that instead.

If I view the logs for traffic being passed by this rule, I see connections being allowed for traffic that I don't think should be. Could anyone suggest why this might be? An example is given below.

Allowed Connection
Log type: Web Proxy (Forward) 
Status: 204 No Content 
Rule: PKI downloads 
Source: Internal ([i]IP address[/i]) 
Destination: Internal ( 
Request: GET 
Filter information: Req ID: 1d2ee969; Compression: client=No, server=No, compress rate=0% decompress rate=0% 
Protocol: http 
User: anonymous 
 Additional information 
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40040000 (Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header. Response should not be cached.)
Processing time: 93 MIME type:  

Page: [1]