Partager via


Troubleshooting HTTP Filtering in ISA Server

Most of the time you create a HTTP Filter in ISA but sometimes it does not work the way you would have wanted it to. Let's see a simple example and try to see what could be the possible problems.

 

I have a Created a HTTP Filtering to block www.fabrikam.com

 

Search in: Request URL
Pattern: www.fabrikam.com

 

I will try opening www.fabrikam.com from my client machine which is configured as SecureNAT Client which means that the internal IP of ISA is the Default Gateway for this machine.

 

Request from the Client Machine

 

Frame: Number = 46, Captured Frame Length = 408, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-B2-45-06],SourceAddress:[00-15-5D-B2-45-05]

+ Ipv4: Src = 192.168.0.175, Dest = 39.1.1.10, Next Protocol = TCP, Packet ID = 20628, Total IP Length = 394

+ Tcp: Flags=...AP..., SrcPort=6504, DstPort=HTTP(80), PayloadLen=354, Seq=2794349469 - 2794349823, Ack=1140043069, Win=32850 (scale factor 0x2) = 131400

- Http: Request, GET /

Command: GET

+ URI: /

ProtocolVersion: HTTP/1.1

Accept: */*

Accept-Language: en-us

UA-CPU: x86

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 07 Aug 2008 18:55:57 GMT

If-None-Match: "a686da39bff8c81:1d9"

UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)

Host: www.fabrikam.com

Connection: Keep-Alive

HeaderEnd: CRLF

 

ISA forwards the response from the Web Server (of-course the request and response are NAT'd)

 

Frame: Number = 48, Captured Frame Length = 365, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-B2-45-05],SourceAddress:[00-15-5D-B2-45-06]

+ Ipv4: Src = 39.1.1.10, Dest = 192.168.0.175, Next Protocol = TCP, Packet ID = 5425, Total IP Length = 351

+ Tcp: Flags=...AP..., SrcPort=HTTP(80), DstPort=6504, PayloadLen=311, Seq=1140043069 - 1140043380, Ack=2794349823, Win=65181 (scale factor 0x0) = 65181

- Http: Response, HTTP/1.1, Status Code = 304, URL: /

ProtocolVersion: HTTP/1.1

StatusCode: 304, Not modified

Reason: Not Modified

ProxyConnection: Keep-Alive

Connection: Keep-Alive

Via: 1.1 ISA

Date: Thu, 30 Apr 2009 14:28:52 GMT

Content-Location: http://www.fabrikam.com/index.htm

ETag: "a686da39bff8c81:1d9"

Server: Microsoft-IIS/6.0

Last-Modified: Thu, 07 Aug 2008 18:55:57 GMT

Accept-Ranges: bytes

HeaderEnd: CRLF

 

ISA logged it as

 

Allowed Connection

Log type: Web Proxy (Forward)

Status: 200 OK.

Rule: Internet Access Rule

Source: Internal (192.168.0.175)

Destination: External (www.fabrikam.com 39.1.1.10:80)

Request: GET http://39.1.1.10/

Filter information: Req ID: 0734fb7f; Compression: client=No, server=No, compress rate=0% decompress rate=0%

Protocol: http

User: anonymous

 

So what went wrong? The client resolved the www.fabrikam.com from the local DNS Server and got the IP as 39.1.1.10. Since he now has the destination address it sent a packet directly marked for the destination 39.1.1.10 with HOST: www.fabrikam.com. ISA checked the URI "/" and added the destination IP to complete the URL http://39.1.1.1. Since we have a HTTP Filter for www.fabrikam.com it mismatches with the http://39.1.1.1

 

Resolution:

 

Make the client machines as Web proxy clients. This will make users send the right URL to the ISA Server. Web proxy clients depend on ISA to resolve the public names.

 

See the below request which came from the web proxy client, as compared to the request came from SecureNAT Client. The request was sent to ISA (192.168.0.254) and not to the destination directly. And the client machine gave the URL to ISA for resolving.

 

Request from Web proxy Client

 

Frame: Number = 29, Captured Frame Length = 455, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-B2-45-06],SourceAddress:[00-15-5D-B2-45-05]

+ Ipv4: Src = 192.168.0.175, Dest = 192.168.0.254, Next Protocol = TCP, Packet ID = 17248, Total IP Length = 441

+ Tcp: Flags=...AP..., SrcPort=6474, DstPort=Multiling HTTP(777), PayloadLen=401, Seq=4199678470 - 4199678871, Ack=2627683601, Win=32850 (scale factor 0x2) = 131400

- Http: Request, GET http://www.fabrikam.com/

Command: GET

+ URI: http://www.fabrikam.com/

ProtocolVersion: HTTP/1.1

Accept: */*

Accept-Language: en-us

UA-CPU: x86

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 07 Aug 2008 18:55:57 GMT

If-None-Match: "a686da39bff8c81:1d9"

UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)

Host: www.fabrikam.com

ProxyConnection: Keep-Alive

Pragma: no-cache

HeaderEnd: CRLF

 

 

ISA's Response to the above web proxy request

 

Frame: Number = 30, Captured Frame Length = 1514, MediaType = ETHERNET

+ Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-15-5D-B2-45-05],SourceAddress:[00-15-5D-B2-45-06]

+ Ipv4: Src = 192.168.0.254, Dest = 192.168.0.175, Next Protocol = TCP, Packet ID = 5032, Total IP Length = 1500

+ Tcp: Flags=...A...., SrcPort=Multiling HTTP(777), DstPort=6474, PayloadLen=1460, Seq=2627683601 - 2627685061, Ack=4199678871, Win=65134 (scale factor 0x0) = 65134

- Http: Response, HTTP/1.1, Status Code = 502, URL: http://www.fabrikam.com/

ProtocolVersion: HTTP/1.1

StatusCode: 502, Bad gateway

Reason: Proxy Error ( The request was rejected by the HTTP filter. Contact your ISA Server administrator. )

Via: 1.1 ISA

Connection: close

ProxyConnection: close

Pragma: no-cache

Cache-Control: no-cache

ContentType: text/html

ContentLength: 4076

HeaderEnd: CRLF

+ payload: HttpContentType = text/html

 

ISA Logs it as below

 

Denied Connection

Log type: Web Proxy (Forward)

Status: 12217 The request was rejected by the HTTP filter. Contact your ISA Server administrator.

Rule: Internet Access Rule

Source: Internal (192.168.0.175)

Destination: External (192.168.0.254:777)

Request: GET http://www.fabrikam.com/

Filter information: Req ID: 0734fb82; Compression: client=No, server=No, compress rate=0% decompress rate=0% ; Blocked by the HTTP Security filter: URL contains sequences which are disallowed

Protocol: http

User: anonymous

 

 

So, next time you configure the HTTP filtering in ISA, make sure you do NetMon traces to make sure you are doing it correctly.

 

Cheers !!