Share via


Configuring IAG URL inspection settings

Applies To: Intelligent Application Gateway (IAG)

There are a number of URL inspection settings you can configure for Whale Communications Intelligent Application Gateway (IAG) 2007, including the following:

  • Methods valid for clients to use when accessing published applications. You can define a set of default methods that are applied as a group.

  • The level of enforcement for a URL set (for Web applications and browser-embedded applications).

  • The maximum size of pages sent using the POST and PUT methods, and optional blocking of negotiate authorization headers.

  • An out-of-the-box security configuration which specifies which ASCII characters may appear in URLs and in what form. This setting can be applied to a portal, an internal site, to a Web application, or to Web applications and browser-enabled applications available in a trunk.

  • Checking of global out-of-the-box rules. With this setting enabled, all out-of-the-box security rules are enforced on all relevant applications.

Specifying valid methods for URL access

Only specified valid methods are available for selection when you create a URL inspection rule. Configure valid methods as follows.

To configure valid methods

  1. In the IAG Configuration console, click the required trunk node.

  2. On the main page of the trunk properties, click Advanced Trunk Configuration. Then click the URL Inspection tab.

  3. In Valid Methods, current valid methods are displayed in the Available Methods in the System list. Predefined methods cannot be modified.

  4. If you want to add a method, type the method name into the text box in Available Methods in the System, and then click the Add button to the left side of the Available Methods in the System list. The method is added to the list of available methods.

    If you want to remove a method, select it in the list, and click the Remove button to the left side of the Available Methods in the System list.

    If you want to remove all methods except predefined methods, click the Remove All button on the left side of the Available Methods in the System list.

Configure default methods as follows.

To configure default methods

  1. In the IAG Configuration console, click the required trunk node.

  2. On the main page of the trunk properties, click Advanced Trunk Configuration. Then click the URL Inspection tab.

  3. In Methods in "DEFAULT" Group, lists of grouped methods which can be used as a default groups when creating URL inspection rules are displayed. Do one or more of the following:

    • To specify that a method should be added to the default group, select the method in Available Methods in the System, and click the Add button with the arrows to add the method to the default list.

    • To remove a method from the default list, select the method in Methods in "DEFAULT" Group, and then click Remove on the left side of the Methods in "DEFAULT" Group list.

    • To remove all default methods, click Remove All on the left side of the Methods in "DEFAULT" Group list.

Setting level of enforcement for application types

For Web and browser-embedded applications, the URL Set Level determines the level of rule enforcement for each application type, including URLs, parameters, and methods. Configure rule enforcement as follows.

To configure enforcement levels

  1. In the IAG Configuration console, click the required trunk node.

  2. On the main page of the trunk properties, click Advanced Trunk Configuration. Then click the URL Inspection tab.

  3. In URL Set Level, in Type, select the application type to which the enforcement level applies. The enforcement level is applied individually for each of the Web and browser-embedded applications enabled through the trunk.

  4. In URL Set Level Slider, move the slider to select one of the following enforcement levels:

    • Extra Fine—To specify high granularity with strict enforcement of specific URLs, parameters and methods. This may cause errors requiring manual changes to the rule set in some environments.

    • Fine—To specify strong enforcement of URLs, parameters and methods.

    • Medium—To specify flexible enforcement that is not bound to highly specific parameters.

    • Rough—To specify very basic rule enforcement with minimal risk of rule-set violations.

Configuring general URL inspection settings

There are a number of general URL inspection options you can configure, as follows.

To configure general URL inspection settings

  1. In the IAG Configuration console, click the relevant trunk node.

  2. On the main page of the trunk properties, click Advanced Trunk Configuration. Then click the URL Inspection tab.

  3. In General Options, select Max Post/Put Data to set the maximum size of pages that can be sent using the POST or
    PUT methods (in bytes). The default setting is -1, indicating that the size of data is unlimited and not checked. If you enter a positive value and the size of a page exceeds this value, the request is denied, and the error messages URL is sent in reply.

  4. To specify that IAG blocks all headers beginning with authorization:negotiate, select Block "Negotiate" Authorization Header. A negotiate authorization header sent by clients may contain malformed code, which can cause denial of service and browser crashes. The vulnerability was announced in Microsoft Security Bulletin MS04-011.

Setting the out-of-the-box security configuration

Set out-of-the-box security configuration settings in order to define which ASCII characters may appear in URLs and in what form. Settings can be applied individually for a portal, internal site, and for Web and browser-embedded applications, or settings can be applied globally. Note the following:

  • Legal characters may appear in the URL as is (in both encoded and unencoded forms). If a character does not appear in the list of legal characters or in the list of characters that cannot appear in an encoded form, it is not allowed in the URL in any form.

  • Characters that do not appear in the list of legal characters are only allowed to appear in the URL in an encoded form.

  • Characters in the Forbid Encoding of list may not appear in the URL in an encoded form.

The default definitions vary according to the application type. Configure settings as follows.

To configure out-of-the-box security configuration settings

  1. In the IAG Configuration console, click the required trunk node.

  2. On the main page of the trunk properties, click Advanced Trunk Configuration. Then click the URL Inspection tab.

  3. In Out-Of-The-Box Security Configuration, select the application type, and then click Edit.

  4. In the Out-Of-The-Box Settings dialog box, configure the settings for the application type.

  5. In Legal Characters, specify the characters that are allowed in the URL as is. If you want the filter to inspect encoded characters, do not include the character "%" in the list. This character is used as a prefix for encoded characters.

  6. In Forbid Encoding Of, specify characters that are not allowed in the URL in an encoded form.

  7. To specify that NULL characters cannot appear in an encoded form, select Forbidden characters include NULL.

  8. To enable the use of %u encoding in URLs and parameters, select Enable Microsoft %u encoding. This specifies that the filter decodes and inspects characters that are encoded by using the %u encoding method in requests, URLs, and parameters. Note that in order to support encoding, the character "%" cannot appear in the Legal Characters list. Note that escaped encoding ("%" hex hex) is enabled by default.

Checking global out-of-the-box rules

When this option is activated, out-of-the-box security rules are enforced globally; that is, all the rules that are defined in the Out-Of-The-Box Security Configuration area are enforced on all the relevant applications in the trunk.

For example: If encoding of the character "?" is forbidden for the IAG internal site, it will automatically be forbidden for all the other relevant applications, regardless of the individual configuration of the option Forbid Encoding of for those applications.

Configure this option as follows.

To check global out-of-the-box rules

  1. In the IAG Configuration console, click the relevant trunk node.

  2. On the main page of the trunk properties, click Advanced Trunk Configuration. Then click the URL Inspection tab.

  3. To specify that out-of-the-box security rules are enabled globally, select Check Global Out-Of-The-Box Rules.