• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Fix for the 12217 error

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Fix for the 12217 error Page: [1]
Login
Message << Older Topic   Newer Topic >>
Fix for the 12217 error - 9.Aug.2005 4:31:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I don't know if this will resolve anyone else's 12217 errors, but I though I'd share my resolution as it's been a problem for many months.

When trying to access this site:

http://www.microsoft.com/windowsmobile/downloads/as-dl38.mspx?submit1=I+Accept+%3E%3E

I'd receive this error:

Network Access Message: The page cannot be displayed

Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

Try the following:

- Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
-Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
-Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.
-If you are still not able to view the requested page, try contacting your administrator or Helpdesk

Technical Information (for support personnel)
Error Code: 502 Proxy Error. The request was rejected by the HTTP filter. Contact your ISA Server administrator. (12217)
IP Address: 172.16.0.3
Date: 8/9/2005 8:27:06 PM
Server: ISA-03.madonna.local
Source: web filter

To fix:

On the HTTP Filter, I deselected the following signatures. (I downloaded the scripts to create this from isaserver.org.)

Name: ScriptInject1
Description: Blocks 'StartOfTag left parentheses<right parentheses' in Request URLs
Search In: Request URL
Signature: <

Name: ScriptInject2
Description: Blocks 'EndOfTag left parentheses>rightparentheses' in Request URLs
Search In: Request URL
Signature: >

Note in the above script I used the word left parentheses for ( and right parentheses for ) as the combination is blocked on this site.

I can now access the site without the 12217 error.

tjcarst
Post #: 1
RE: Fix for the 12217 error - 16.Aug.2005 8:14:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi TJ,

Yes, but that will now open you up to the download.ject exploit.

MS made a bad mistake coding that site. Make sure to re-enable the rule.

HTH,
Tom

(in reply to tjcarst)
Post #: 2
RE: Fix for the 12217 error - 13.Dec.2005 7:35:12 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Upper management doesn't care about the exposure, they just want to get to the site.

I experience 12217 errors on a daily basis.  Here's one that just 5 minutes ago brought up this error:  http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.14.3.bz2

This is very frustrating.  I keep hoping it is something I've configured incorrectly and not something inherently wrong with ISA.  I do not believe I will be able to justify keeping ISA, the usual fix is to send users directly out through a WatchGuard firewall.  I want to make this impossible in the future by making all traffic go out through ISA and removing the WG from the trusted network, but there are too many business-critical applications that I cannot get to work through ISA 2004.

Any assistance with this error would be greatly appreciated.

(in reply to tjcarst)
Post #: 3
RE: Fix for the 12217 error - 14.Jun.2006 8:24:35 AM   
ThatOtherGuy

 

Posts: 43
Joined: 30.Mar.2006
Status: offline
I feel the same way at the moment. But I'm willing to upgrade to isa 2006 if it's released soon and if it will resolve the issues. This has probably been my worst issue. The site I can't access is www.adventist.org

(in reply to tjcarst)
Post #: 4
RE: Fix for the 12217 error - 13.Jul.2006 11:35:51 AM   
jamie.lynch

 

Posts: 6
Joined: 13.Jul.2006
Status: offline
Hi,

I have a similar problem with ISA 2004.  When I try to access http://www.theodoregray.com/PeriodicTable/Stories/011.2/index.html I get an error message from the proxy;

Error Code: 502 Proxy Error. The request was rejected by the HTTP filter. Contact your ISA Server administrator. (12217) IP Address: 192.168.54.2 Date: 13/07/2006 09:17:55 Server: svr-proxy.curric.local Source: web filter
I do have signatures to be blocked (such as script inject etc.) installed on the http filter and I have subsequently un-checked all of these, but still no joy! I have made sure that the rule blocking this page is the web filter rule by checking the monitoring filter.

ISA is really great most of the time, but its these silly errors that really get up my nose.  Can anybody help me with this error?

The other alternative i suppose is to un-install all signatures and see whether that works, but then again I can't see what signature would block the above URL?  I could also try deleting and creating a new rule and see whether that would make it work?

I will update you all if either of the above works or not.

J

(in reply to ThatOtherGuy)
Post #: 5
RE: Fix for the 12217 error - 13.Jul.2006 11:58:41 AM   
jamie.lynch

 

Posts: 6
Joined: 13.Jul.2006
Status: offline
Hello all with the 12217 error,

I think I have solved it although I think that this may be a bug associated with ISA 2004.

I created a new web access rule with a new web filter, but no blocked signatures added and I could access the website.  I then added the header signature block rules one by one, everytime accessing the website and checking to see whether I could find a problematic signature, but after adding all the signatures as in the previous rule it still worked.

So my solution to this problem (because it worked for me) is to create a new firewall rule for HTTP, HTTPS protocol, call the rule 'web filter rule' .  Add it to the list of rules in the firewall policy above the old web filter rule you are having problems with just to make sure it hits the new rule rather than the old one.  Then check to see whether you are hitting this access rule by using the monitoring section of isa.  If you are and the website works, then add the signatures one by one (check them individually, just incase one of the signatures is in-advertantly blocking a site when it shouldn't).

Hopefully this should solve your problem if you are experiencing the same irrating problem I have faced.

J

(in reply to jamie.lynch)
Post #: 6
RE: Fix for the 12217 error - 26.Sep.2006 8:10:38 PM   
rjohnson

 

Posts: 7
Joined: 1.Mar.2006
Status: offline
I can confirm this also is true in ISA 2006. After adding VML filters (thanks MS - full sarcasm implied) I found that some sites were blocked from downloading .gz files. Added new rule as suggested by Jamie Lynch above and now it works again. Thanks for the tip!


(in reply to jamie.lynch)
Post #: 7
RE: Fix for the 12217 error - 14.Aug.2007 6:40:53 PM   
tim@sfbaylink.com

 

Posts: 1
Joined: 14.Aug.2007
Status: offline
Hi Tom,

I am having this same problem trying to place bids on ebay. getting ebay to recognize this problem is going to be lots of fun.

_____________________________

Tim Carney, SBSC

(in reply to tshinder)
Post #: 8
RE: Fix for the 12217 error - 3.Oct.2007 1:56:27 PM   
moreauer

 

Posts: 18
Joined: 13.Jun.2007
Status: offline
Hi everyone, hope this helps...

I'm from Quebec city so I speak french and we have letters with accent

I had the same problems with a published site with this caracter "" (a with grave accent).

I have ISA 2006.

I found out this KB 837865 from microsoft...

WORKAROUND
loadTOCNode(1, 'workaround');

To work around this issue, configure the Web publishing rule so that it does not block high-bit characters. To do this, follow these steps:



1.
Start the ISA Server Management tool.

2.
Expand ServerName, where ServerName is the name of your ISA Server computer.

3.
Click Firewall Policy, click the Web publishing rule that you created to publish the Exchange Server computer for access by OWA users, and then click Edit Selected Rule.

4.
Click the Traffic tab, click Filtering, and then click Configure HTTP.

5.
Click to clear the Block high-bit characters check box, and then click OK two times.

6.
Click Apply to update the firewall policy, and then click OK. 
It worked for me...  Hope it works for you...

Eric

(in reply to tim@sfbaylink.com)
Post #: 9
RE: Fix for the 12217 error - 26.Mar.2008 10:52:01 AM   
lawson23

 

Posts: 20
Joined: 26.Mar.2008
Status: offline
I have one question regarding this error.  It seems that many of you are experiencing this with certain webpages.

Has anyone experienced this because of a web browser?  Basically IE works fine but if I try to use Firefox, not one page will display and I get this error.  Any ideas?

I don't want to make a change based on a certain browser so any ideas?

(in reply to tjcarst)
Post #: 10
RE: Fix for the 12217 error - 7.Jun.2011 6:37:08 AM   
R.ARtes

 

Posts: 2
Joined: 13.Apr.2011
Status: offline
I had the same problem. I discovered the resolution was to disable the tickbox for Verify Normalization in the HTTP policy rule. There were a lot of %20 characters in the URL that were affecting the rule.
Richard.

(in reply to lawson23)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Fix for the 12217 error Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts