Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
strange problem re: restrict certain HTTP content
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
strange problem re: restrict certain HTTP content - 13.Aug.2004 9:25:00 PM
|
|
|
cschreiner
Posts: 16
Joined: 25.Jan.2002
Status: offline
|
Hello all,
Strange problem on ISA 2004 on Windows 2003. Have everything working well and wanted to setup an access policy that essentially denies audio/video content during working hours. Create the rule to deny traffic for HTTP, applied to all users, internal etc., and checked apply to audio/video groups on the content types tab so as wont deny non audio/video content. It works as advertised blocking access and redirecting requests to company website.
However it also is denying access to many sites that have no audio/video content whatsoever. Many of the denies seem to happen on .asp pages. I disable the rule and all is normal and those sites are available. Kind of out of ideas and this was exactly what we had working great in ISA 2000 and would definitely like to have working again. Is there a different/better way?
Thanks for the help
chris
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 16.Aug.2004 7:02:00 PM
|
|
|
Guest
|
Hi Chris!
Finally, I was hopeing I'm not alone with it. I confirm the problem. I have exactely the same situation.
I block Audio/Video content, but it doesn't work ok, because it blocks many .asp and other pages. I simply get strange blank web pages!
I noticed that no matter content I try to block, Audio, Video or any other explicitly specified content, it also affects! the other pages.
I think it is a serious bug. I been trying to workaround it... no luck ![[Frown]](/image/smiles/frown.gif)
However, I came up with a trend. That is, if you choose any specific target instead of External.
Here are we go, it works by the book!
I tried to raise the question on MS newsgroups. Well, practically nobody gave any thoughts on this subject.
Honestly, I'm pissed off! Becasue it worked perfectly in ISA 2000. I t drives me crazy, Since I migrated to ISA 2004 I feel helpless, I cannot control any content type at all. It affects other access rules!
Hope MS is fixing this now... hurry up, guys!
Best,
Stanley.
P.S. By the way, I used this to set the access rules http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/controllingsecureinternetaccess.mspx#XSLTsection124121120120
see subtopic "Access controlled by content type"
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 16.Aug.2004 10:11:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hey guys,
Can you give me some precise examples of your rules and the content that is problematic?
Thanks!
Tom
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 17.Aug.2004 12:56:00 AM
|
|
|
cschreiner
Posts: 16
Joined: 25.Jan.2002
Status: offline
|
Glad to see I am not the only one and thanks for the follow-up Tom!
pretty much just a simple deny access rule...
NAME: DENY Audio/Video
ACTION: Deny
PROTOCOLS: HTTP
REDIRECT: To company website
FROM/LISTENER: Internal
TO: External
CONDITIONS: All users
CONTENT TYPES: Audio and Video checked
SCHEDULE: enable 6am-6pm M-F
I am not sure which is content is problematic but now I am certain it is happening on all .asp pages. Frequently occurs at pages that require a login, hotmail, etc...
If want more specific rule info I could export and post...
thank you again
chris
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 17.Aug.2004 3:50:00 PM
|
|
|
cschreiner
Posts: 16
Joined: 25.Jan.2002
Status: offline
|
Thanks for the that Tom. Our rule when configured does that as well. The problem is the unintended consequences of that exact same rule. Hard for me to give you a site to run it against as the ones I know of are all sites with .asp pages used by our comapny that you need a logon for. One example is in MSN Hotmail when you get into your mailbox and try to move a message to another folder you get a blank page with "done" at the bottom. Disable the rule and it works fine. All the problem pages just give that blank page with "done" at the bottom. Disable the rule all is fine. Making exceptions for the web servers trying to access also works as well.
Real time monitoring and logs dont tell me much and dont understand what is different now than ISA2000?
Thank again all
chris
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 17.Aug.2004 4:35:00 PM
|
|
|
StanleyK82
Posts: 4
Joined: 16.Aug.2004
From: Cincinnati, OH
Status: offline
|
Hi Tom,
I again comfirm the exact behaviour Chris described.
Chris gave you a very good example, just try to open an MSN hotmail mailbox.
Instead of mailboxes we see only blank web pages. Chris, Tom, I do confirm it.
Additionally, I used the ISA realtime monitor -
"ISA Server Managemen" -> "Monitoring" -> "Logging".
The monitor filter definitions I set included
"Action" -> "Contains" -> "Denied Connection"
And I noticed that the Audio/Video deny rule I created also blocks pages that do not contain any of the material the deny rule should be blocking.
Nonsense!
My guess is that the bug is in either the built-in "External" network object or in the Content control module itself.
Best,
Stanley.
[ August 17, 2004, 04:43 PM: Message edited by: StanleyK ]
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 17.Aug.2004 6:12:00 PM
|
|
|
StanleyK82
Posts: 4
Joined: 16.Aug.2004
From: Cincinnati, OH
Status: offline
|
Late addition:
It seems that those strange blank web pages only appear on .asp/.aspx web forms that use HTTP POST Method or/and when the hosting web server returns HTTP Status 302.
Thanks,
Stanley.
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 23.Aug.2004 5:24:00 PM
|
|
|
cschreiner
Posts: 16
Joined: 25.Jan.2002
Status: offline
|
I agree/confirm Stanley's posting. Anyone have any ideas? Is it possible to contact MS PPS without incurring the $250 support fee? Seems like a significant issue with these content groups not working.
Thank for the help
chris
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 24.Aug.2004 1:24:00 PM
|
|
|
tshinder
Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hey guys,
Can you give me another example? I am *not* seeing this problem with Hotmail from my testing using the rules I describe at http://www.msfirewall.org/testing/contentcontrol.htm
I assume that you are using the Web Proxy and Firewall client configs, and that the Web Proxy clients are configured to use the autdoconfig script?
If not, fix those issues and try it again. Works *perfectly* for me.
If you can give me more examples of something that I can access to test, I will.
Thanks!
Tom
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 14.Sep.2004 10:46:00 AM
|
|
|
Guest
|
I'm also getting this same problem
I have an access rule that applies to a single group of users. This allows those users to access websites through a proxy.
Instead of creating a deny rule for multimedia types, I only allow the content types that I want users to access.
If the Audio or Video types are not allowed (unchecked) then sites such as hotmail fail. I actually get an access denied page from the server, although it is in plain text, unlike the normal denied messages.
Like the other users with this problem, the logs aren't too helpful in pointing to the cause
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 2.Dec.2004 7:53:00 PM
|
|
|
rbosley
Posts: 4
Joined: 2.Dec.2004
From: Tampa, FL
Status: offline
|
Called Microsoft, it is a known problem and will be fixed in SP1 for ISA 2004.
Disabling content filtering rules is the only workaround.
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 23.Dec.2004 8:51:00 AM
|
|
|
udo.moritz@swica.ch
Posts: 2
Joined: 9.Nov.2004
Status: offline
|
Hi everybody
Any idea when SP1 for ISA2004 will be available?
Thanks in advance
Udo
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 2.Jan.2005 10:36:00 PM
|
|
|
jte369
Posts: 5
Joined: 12.Dec.2004
Status: offline
|
I started a thread on this same problem, http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=20;t=000856. I have had no success fixing this, and it doesn't seem to matter what type of content you deny or to what destination. I tried denying only macro content and I tried using a domain set with *.com in it; neither changed the outcome. I do not think the problem lies with the 'External' network but with Content Type filtering. The content you are trying to block is indeed blocked, but the problem is, as stated repeatedly here, the unintended consequences. Another URL to use as an example is http://it.pcconnection.com/Webcontent/Home/Business/default.htm.
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 18.Jan.2005 3:18:00 AM
|
|
|
mganser
Posts: 4
Joined: 5.Jan.2005
Status: offline
|
jte369,
I do not find the thread you started on this topic. I am interested in this topic as this is a problem for us. Can not do any content filtering without losing the .asp pages.
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 18.Jan.2005 3:56:00 AM
|
|
|
mganser
Posts: 4
Joined: 5.Jan.2005
Status: offline
|
I have been struggling with this problem and it is not just Audio or Video content filtering that blocks the .asp pages. Any content filter applied will cause certain .aps pages to return blank.
My only successful work around has been to create a URL set in the Network Objects that includes the sites my users are unable to load. When creating the content filter I then deny the External destination but add as an exceptions the URL set. The pages then load fine.
You may want to use wild cards to minimize enteries in the URL set, such as http://*.selftestsoftware.*
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 20.Jan.2005 11:29:00 PM
|
|
|
jte369
Posts: 5
Joined: 12.Dec.2004
Status: offline
|
That's actually a good idea using the exceptions section, Mark. The only thing is, I'm guessing the list of exceptions will get rather long, and it will be painful for the users until the sites they use are added.
|
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 24.Jan.2005 1:08:00 PM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
Having exactly the same problem here, taking the same tack as David above. We are trying to deny all content except for an allowed list, but some sites were just loading blank.
Having found this post, I've checked the logs and it's definately ASP pages with posted information. The logs show that ISA closes the connection immediately after this page is submitted.
Our workaround has been to add a temporary rule granting unfiltered access to problem sites.
Does anyone have any further news on when ISA SP1 will be released?
Ross
|
|
|
|
RE: strange problem re: restrict certain HTTP content - 31.Jan.2005 11:35:00 AM
|
|
|
myxiplx
Posts: 132
Joined: 16.Mar.2001
Status: offline
|
I've followed the recommendations in this thread, but am still finding intermittent problems with ASP pages. Several users have reported blank pages appearing, despite a rule on our server bypasing content filtering for the sites they were accessing.
I have checked the logs and ISA is definately applying the correct rule for these sites. I have a domain name set and a URL set which I use to apply this rule. Other than that the restriction the rule applies to all outbound traffic, for all users from the internal network.
In testing today, I have found the problem strangely intermittent. One particular site failed to work six or seven times in a row, but then started working maybe one attempt in two. After a little more testing, it now works every time without fail.
I've made no changes to the rules during this testing, I just refreshed the page and re-submitted the form data a dozen times or so to get a good sample of logs to have a look at.
My first thought was whether ISA had cached the page, but the site still works if a different query is submitted.
Does anyone have any ideas as to what I might be able to try to get around this problem? Has anyone else experienced this themselves?
thanks,
Ross
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
