?
Solved

Web content types / mime type filter problem

Posted on 2007-11-21
15
Medium Priority
?
1,522 Views
Last Modified: 2012-05-05
I have Isa server 2004
used just for web access
content types filtering is set for "selected content types" in the access rule properties
i selected all the default content types "applications.........,vrml"
every thing gos ok but
when i try to open any site need username and password a get amessage
"Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). '
i think i have to add another mime content type butu what i need to add in this situation??????????
users cannot access mail.yahoo.com or login to hotmail boxes
i need your suggestions plz..
0
Comment
Question by:MODR100
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
  • +1
15 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 20327443
it sounds that the mentioned sites need SSL. are you sure you have enabled outgoing HTTPS traffic (both URL based and TCP based)?
0
 

Author Comment

by:MODR100
ID: 20327529
i opened th "All outbound traffic" and the problem continues
if i allow " All content types" the problem disapeer / i dont naeed this
if i allow " the selected content list" cannot access yahoomail or hotmail
i think the problem is in the content type mime because any site need user name and password denied by the isa 2004 server
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330353
Make swure you have installed service pack 3 for ISA2004.
Open the ISA gui, select monitoring - logging - click on start query to start the realtime log.

Make the connection attempt and watch for the denied messages when you visit whatever sigte it is you are trying.
Stop the query.

Hightlight one of the denied message lines.
Open the bottom section of the log screen and then clicl on the + symbol to droill down and see what the http headers are that were blocked.

Keith
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:MODR100
ID: 20332824
i have sp3 installed
i started logging and get this
------------------------------------------------------
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Destination: Local Host ( *.*.*.*:8080)
Protocol: HTTP Proxy
•      Number of bytes sent: 427 Number of bytes received: 1081
•      Processing time: 0ms Original Client IP: *.*.*.*
0
 

Author Comment

by:MODR100
ID: 20333075
this message appear in log
12202 The ISA Server denied the specified Uniform Resource Locator (URL).

whan itry to access yahoo login it starts handshaking but doesnt comlete that
and access denied
0
 
LVL 37

Expert Comment

by:bbao
ID: 20333370
i think you can also get the blocked URL from the ISA log. can you please let us know that?
0
 

Author Comment

by:MODR100
ID: 20333700
i allowed every thing
this result from the log:
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: Default rule
Source: Internal
Destination: External
Request: login.yahoo.com:443
Filter information: Req ID: 05bc0b0f; Req ID: 05bc0b0f
Protocol: SSL-tunnel
User: anonymous
•      Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
•      Object source: Internet Processing time: 0
•      Cache info: 0x0 MIME type:
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20335834
No, you haven't allowed everything.

When something is blocked bty the default rule, it means that the request did nit meet the conditions set in any of the higher rules.

Where are you running the request from, an internal client or the ISA itself?
What authentication have you placed on the outbound rule? All users? Authenticated users? An Ad group?
Note that the request that was sent was named as anonymous so this would only work using the all users authentication unless you have the ISA firewall client installede.
0
 

Author Comment

by:MODR100
ID: 20344893
Dear i opened all protocols but filter at the contents type
to test i enabled all default content types
all allowed users allowed to to internet without authentication
firewall client also installed on an internal pc for test
i can access any site that dont need auth
i cannot login to yahoo or hotmail????????????
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20345215
Please post a copy of the log output from the log screen so I can see what is being returned.
0
 

Author Comment

by:MODR100
ID: 20345325
i have one web acces rule and i enabled content filtering
can i enable content filtering on a rule that enable http and https?????
when delete the old rule and make new two rules
one for http with content filter
and another rule for https without content filtering it works ok
the question
can i enable content filter on a rul that allow http and https?????????????
0
 

Author Comment

by:MODR100
ID: 20345361
this is the output
dest.ip   dest.port   protocol      action      rule    client ip   client uname    url
proxyIP-443            ssl-tunnel    denied   default   -     anonymous  login.yahoo.com
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 20345428
It is best to make seperate rules for each when you are filtering by content types.

Content filtering works for the rule that the filter is applied to only.
For example, if you gad four http rules and you applied a conternt filter on rule 2, this would not be applied to rules 1, 3 & 4 - only rule 2.
Filter rules must appear before allow all content-type rules.

I have tried it here - I also get an error when trying to go to https://login.yahoo.com. The error is a type 995 (the application requested that the connection be dropped). I get a failed message in my isa log rather than a denied message.

0.0.0.0      Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)      Yes      Proxy            login.yahoo.com      TCP                  Internet      -      -            -      Req ID: 0ace7beb; Compression: client=No, server=No, compress rate=0% decompress rate=0%      -      -      -      25/11/2007 12:37:35      0      0      8090      680      0x0      0x8            25/11/2007 12:37:35      192.168.0.67      217.12.8.76      443      SSL-tunnel      Failed Connection Attempt      Allow Outbound All protocols            995 The I/O operation has been aborted because of either a thread exit or an application request.       anonymous      Internal      External      login.yahoo.com:443      HOST1      Web Proxy Filter
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20699001
Forced accept.

Computer101
EE Admin
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question