We are in the process of creating HTTP Security Filter policies for our current and new applications. We need to figure out the required methods, extensions, headers, and other signatures that are specific to our applications.
Right now we are in the process of working to get an important application up and running with ISA 2004. We have run into a problem where the website works periodically and fails periodically.
In order to troubleshoot this further I made a change in logging to allow filter information to be displayed. This got me to the point where we now showing detail in the errors, specifically "Blocked by the HTTP Security filter: URL contains an extension which is not specifically allowed". This information is helpful, but not nearly enough. We need to know exactly which extension or extensions are being blocked.
I would like to know if there is a way within ISA 2004 to see what specific extension or extensions are being blocked. We have spent an enormous amount of time and effort trying to figure this out on our own.
In the long run this is going to be a significant need. We are not only going to need to see which particular extensions are being blocked, but we will need to know what methods are needed, what headers are needed, and what signatures are missing. I truly hope there is a way to do this within ISA.
Try to allow all extensions first. Go to Firewall Console. Configure HTTP(right click on the web access allow rule), go to extensions and click allow all extensions on the drop box. Just try this for testing purposes. Check your URL for any extensions that might be included on block list. Ex. : *.shtml, *.shtm and etc.
I want to mention that I have already set specific extensions to be blocked. We are currently locking down each application as tight as possible. The list that is provided in the attachement you sent is one that we have already reviewed. We do not want to use the baseline. We will be doing this for each application.
We have worked with the applications representative to try to find exactly which extensions are needed for this application. The tech provided us with a traffic capture from his test site (attached) but said that he could not see any other needed extensions. Now the problem is back in our hands.
I added the following per their request:
. (this is the "no extension" designation)
The website is experiencing periodic failure and periodic success with these extensions that we have specified. If we allow all extensions then there is no problems, BUT this is not what we want. Nor do we want to use the baseline. We want it boiled down to only what it will need and use.
We need a way to lock down each application to their specific extensions. Like I said in order to troubleshoot this further I made a change in logging to allow filter information to be displayed. This got me to the point where we now showing detail in the errors, specifically "Blocked by the HTTP Security filter: URL contains an extension which is not specifically allowed". This information is helpful, but not nearly enough. I
Is there a way within ISA to turn on logging to show exactly which extension is blocking the website? Or do you have any other ideas of how I can determine the exact extensions, methods, etc...