Strange problem on ISA 2004 on Windows 2003. Have everything working well and wanted to setup an access policy that essentially denies audio/video content during working hours. Create the rule to deny traffic for HTTP, applied to all users, internal etc., and checked apply to audio/video groups on the content types tab so as wont deny non audio/video content. It works as advertised blocking access and redirecting requests to company website.
However it also is denying access to many sites that have no audio/video content whatsoever. Many of the denies seem to happen on .asp pages. I disable the rule and all is normal and those sites are available. Kind of out of ideas and this was exactly what we had working great in ISA 2000 and would definitely like to have working again. Is there a different/better way?
You can check the MIME types and file extensions for those pages and compare them with the AV group you're using. You have to depend on the MIME types supplied by the Web masters, and you know how that goes
RE: strange problem re: restrict certain HTTP content - 16.Aug.2004 7:02:00 PM
Guest
Hi Chris!
Finally, I was hopeing I'm not alone with it. I confirm the problem. I have exactely the same situation. I block Audio/Video content, but it doesn't work ok, because it blocks many .asp and other pages. I simply get strange blank web pages!
I noticed that no matter content I try to block, Audio, Video or any other explicitly specified content, it also affects! the other pages.
I think it is a serious bug. I been trying to workaround it... no luck
However, I came up with a trend. That is, if you choose any specific target instead of External. Here are we go, it works by the book!
I tried to raise the question on MS newsgroups. Well, practically nobody gave any thoughts on this subject.
Honestly, I'm pissed off! Becasue it worked perfectly in ISA 2000. I t drives me crazy, Since I migrated to ISA 2004 I feel helpless, I cannot control any content type at all. It affects other access rules!
Glad to see I am not the only one and thanks for the follow-up Tom!
pretty much just a simple deny access rule...
NAME: DENY Audio/Video ACTION: Deny PROTOCOLS: HTTP REDIRECT: To company website FROM/LISTENER: Internal TO: External CONDITIONS: All users CONTENT TYPES: Audio and Video checked SCHEDULE: enable 6am-6pm M-F
I am not sure which is content is problematic but now I am certain it is happening on all .asp pages. Frequently occurs at pages that require a login, hotmail, etc...
If want more specific rule info I could export and post...
Thanks for the that Tom. Our rule when configured does that as well. The problem is the unintended consequences of that exact same rule. Hard for me to give you a site to run it against as the ones I know of are all sites with .asp pages used by our comapny that you need a logon for. One example is in MSN Hotmail when you get into your mailbox and try to move a message to another folder you get a blank page with "done" at the bottom. Disable the rule and it works fine. All the problem pages just give that blank page with "done" at the bottom. Disable the rule all is fine. Making exceptions for the web servers trying to access also works as well.
Real time monitoring and logs dont tell me much and dont understand what is different now than ISA2000?
It seems that those strange blank web pages only appear on .asp/.aspx web forms that use HTTP POST Method or/and when the hosting web server returns HTTP Status 302.
I agree/confirm Stanley's posting. Anyone have any ideas? Is it possible to contact MS PPS without incurring the $250 support fee? Seems like a significant issue with these content groups not working.
RE: strange problem re: restrict certain HTTP content - 14.Sep.2004 10:46:00 AM
Guest
I'm also getting this same problem
I have an access rule that applies to a single group of users. This allows those users to access websites through a proxy.
Instead of creating a deny rule for multimedia types, I only allow the content types that I want users to access.
If the Audio or Video types are not allowed (unchecked) then sites such as hotmail fail. I actually get an access denied page from the server, although it is in plain text, unlike the normal denied messages.
Like the other users with this problem, the logs aren't too helpful in pointing to the cause
I started a thread on this same problem, http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=20;t=000856. I have had no success fixing this, and it doesn't seem to matter what type of content you deny or to what destination. I tried denying only macro content and I tried using a domain set with *.com in it; neither changed the outcome. I do not think the problem lies with the 'External' network but with Content Type filtering. The content you are trying to block is indeed blocked, but the problem is, as stated repeatedly here, the unintended consequences. Another URL to use as an example is http://it.pcconnection.com/Webcontent/Home/Business/default.htm.
I do not find the thread you started on this topic. I am interested in this topic as this is a problem for us. Can not do any content filtering without losing the .asp pages.
I have been struggling with this problem and it is not just Audio or Video content filtering that blocks the .asp pages. Any content filter applied will cause certain .aps pages to return blank.
My only successful work around has been to create a URL set in the Network Objects that includes the sites my users are unable to load. When creating the content filter I then deny the External destination but add as an exceptions the URL set. The pages then load fine.
That's actually a good idea using the exceptions section, Mark. The only thing is, I'm guessing the list of exceptions will get rather long, and it will be painful for the users until the sites they use are added.
Having exactly the same problem here, taking the same tack as David above. We are trying to deny all content except for an allowed list, but some sites were just loading blank.
Having found this post, I've checked the logs and it's definately ASP pages with posted information. The logs show that ISA closes the connection immediately after this page is submitted.
Our workaround has been to add a temporary rule granting unfiltered access to problem sites.
Does anyone have any further news on when ISA SP1 will be released?
I've followed the recommendations in this thread, but am still finding intermittent problems with ASP pages. Several users have reported blank pages appearing, despite a rule on our server bypasing content filtering for the sites they were accessing.
I have checked the logs and ISA is definately applying the correct rule for these sites. I have a domain name set and a URL set which I use to apply this rule. Other than that the restriction the rule applies to all outbound traffic, for all users from the internal network.
In testing today, I have found the problem strangely intermittent. One particular site failed to work six or seven times in a row, but then started working maybe one attempt in two. After a little more testing, it now works every time without fail.
I've made no changes to the rules during this testing, I just refreshed the page and re-submitted the form data a dozen times or so to get a good sample of logs to have a look at.
My first thought was whether ISA had cached the page, but the site still works if a different query is submitted.
Does anyone have any ideas as to what I might be able to try to get around this problem? Has anyone else experienced this themselves?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Access Policies >> strange problem re: restrict certain HTTP content 
strange problem re: restrict certain HTTP content - 
![[Smile]](/image/smiles/smile.gif)
![[Frown]](/image/smiles/frown.gif)
RE: strange problem re: restrict certain HTTP content - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread