Troubleshooting HTTP Filtering in ISA Server
Most of the time you create a HTTP Filter in ISA but sometimes it does not work the way you would have wanted it to. Let's see a simple example and try to see what could be the possible problems.
I have a Created a HTTP Filtering to block www.fabrikam.com
Search in: Request URL
Pattern: www.fabrikam.com
I will try opening www.fabrikam.com from my client machine which is configured as SecureNAT Client which means that the internal IP of ISA is the Default Gateway for this machine.
Request from the Client Machine
Frame: Number = 46, Captured Frame Length = 408, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-B2-45-06],SourceAddress:[00-15-5D-B2-45-05]
+ Ipv4: Src = 192.168.0.175, Dest = 39.1.1.10, Next Protocol = TCP, Packet ID = 20628, Total IP Length = 394
+ Tcp: Flags=...AP..., SrcPort=6504, DstPort=HTTP(80), PayloadLen=354, Seq=2794349469 - 2794349823, Ack=1140043069, Win=32850 (scale factor 0x2) = 131400
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 07 Aug 2008 18:55:57 GMT
If-None-Match: "a686da39bff8c81:1d9"
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
Host: www.fabrikam.com
Connection: Keep-Alive
HeaderEnd: CRLF
ISA forwards the response from the Web Server (of-course the request and response are NAT'd)
Frame: Number = 48, Captured Frame Length = 365, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-B2-45-05],SourceAddress:[00-15-5D-B2-45-06]
+ Ipv4: Src = 39.1.1.10, Dest = 192.168.0.175, Next Protocol = TCP, Packet ID = 5425, Total IP Length = 351
+ Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=6504, PayloadLen=311, Seq=1140043069 - 1140043380, Ack=2794349823, Win=65181 (scale factor 0x0) = 65181
- Http: Response, HTTP/1.1, Status Code = 304, URL: /
ProtocolVersion: HTTP/1.1
StatusCode: 304, Not modified
Reason: Not Modified
ProxyConnection: Keep-Alive
Connection: Keep-Alive
Via: 1.1 ISA
Date: Thu, 30 Apr 2009 14:28:52 GMT
Content-Location: http://www.fabrikam.com/index.htm
ETag: "a686da39bff8c81:1d9"
Server: Microsoft-IIS/6.0
Last-Modified: Thu, 07 Aug 2008 18:55:57 GMT
Accept-Ranges: bytes
HeaderEnd: CRLF
ISA logged it as
Allowed Connection
Log type: Web Proxy (Forward)
Status: 200 OK.
Rule: Internet Access Rule
Source: Internal (192.168.0.175)
Destination: External (www.fabrikam.com 39.1.1.10:80)
Request: GET http://39.1.1.10/
Filter information: Req ID: 0734fb7f; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
So what went wrong? The client resolved the www.fabrikam.com from the local DNS Server and got the IP as 39.1.1.10. Since he now has the destination address it sent a packet directly marked for the destination 39.1.1.10 with HOST: www.fabrikam.com. ISA checked the URI "/" and added the destination IP to complete the URL http://39.1.1.1. Since we have a HTTP Filter for www.fabrikam.com it mismatches with the http://39.1.1.1
Resolution:
Make the client machines as Web proxy clients. This will make users send the right URL to the ISA Server. Web proxy clients depend on ISA to resolve the public names.
See the below request which came from the web proxy client, as compared to the request came from SecureNAT Client. The request was sent to ISA (192.168.0.254) and not to the destination directly. And the client machine gave the URL to ISA for resolving.
Request from Web proxy Client
Frame: Number = 29, Captured Frame Length = 455, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-B2-45-06],SourceAddress:[00-15-5D-B2-45-05]
+ Ipv4: Src = 192.168.0.175, Dest = 192.168.0.254, Next Protocol = TCP, Packet ID = 17248, Total IP Length = 441
+ Tcp: Flags=...AP..., SrcPort=6474, DstPort=Multiling HTTP(777), PayloadLen=401, Seq=4199678470 - 4199678871, Ack=2627683601, Win=32850 (scale factor 0x2) = 131400
- Http: Request, GET http://www.fabrikam.com/
Command: GET
+ URI: http://www.fabrikam.com/
ProtocolVersion: HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 07 Aug 2008 18:55:57 GMT
If-None-Match: "a686da39bff8c81:1d9"
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)
Host: www.fabrikam.com
ProxyConnection: Keep-Alive
Pragma: no-cache
HeaderEnd: CRLF
ISA's Response to the above web proxy request
Frame: Number = 30, Captured Frame Length = 1514, MediaType = ETHERNET
+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-B2-45-05],SourceAddress:[00-15-5D-B2-45-06]
+ Ipv4: Src = 192.168.0.254, Dest = 192.168.0.175, Next Protocol = TCP, Packet ID = 5032, Total IP Length = 1500
+ Tcp: Flags=...A...., SrcPort=Multiling HTTP(777), DstPort=6474, PayloadLen=1460, Seq=2627683601 - 2627685061, Ack=4199678871, Win=65134 (scale factor 0x0) = 65134
- Http: Response, HTTP/1.1, Status Code = 502, URL: http://www.fabrikam.com/
ProtocolVersion: HTTP/1.1
StatusCode: 502, Bad gateway
Reason: Proxy Error ( The request was rejected by the HTTP filter. Contact your ISA Server administrator. )
Via: 1.1 ISA
Connection: close
ProxyConnection: close
Pragma: no-cache
Cache-Control: no-cache
ContentType: text/html
ContentLength: 4076
HeaderEnd: CRLF
+ payload: HttpContentType = text/html
ISA Logs it as below
Denied Connection
Log type: Web Proxy (Forward)
Status: 12217 The request was rejected by the HTTP filter. Contact your ISA Server administrator.
Rule: Internet Access Rule
Source: Internal (192.168.0.175)
Destination: External (192.168.0.254:777)
Request: GET http://www.fabrikam.com/
Filter information: Req ID: 0734fb82; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; Blocked by the HTTP Security filter: URL contains sequences which are disallowed
Protocol: http
User: anonymous
So, next time you configure the HTTP filtering in ISA, make sure you do NetMon traces to make sure you are doing it correctly.
Cheers !!