Solved

Web content types / mime type filter problem

Posted on 2007-11-21
15
1,498 Views
Last Modified: 2012-05-05
I have Isa server 2004
used just for web access
content types filtering is set for "selected content types" in the access rule properties
i selected all the default content types "applications.........,vrml"
every thing gos ok but
when i try to open any site need username and password a get amessage
"Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). '
i think i have to add another mime content type butu what i need to add in this situation??????????
users cannot access mail.yahoo.com or login to hotmail boxes
i need your suggestions plz..
0
Comment
Question by:MODR100
  • 7
  • 4
  • 2
  • +1
15 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 20327443
it sounds that the mentioned sites need SSL. are you sure you have enabled outgoing HTTPS traffic (both URL based and TCP based)?
0
 

Author Comment

by:MODR100
ID: 20327529
i opened th "All outbound traffic" and the problem continues
if i allow " All content types" the problem disapeer / i dont naeed this
if i allow " the selected content list" cannot access yahoomail or hotmail
i think the problem is in the content type mime because any site need user name and password denied by the isa 2004 server
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330353
Make swure you have installed service pack 3 for ISA2004.
Open the ISA gui, select monitoring - logging - click on start query to start the realtime log.

Make the connection attempt and watch for the denied messages when you visit whatever sigte it is you are trying.
Stop the query.

Hightlight one of the denied message lines.
Open the bottom section of the log screen and then clicl on the + symbol to droill down and see what the http headers are that were blocked.

Keith
0
 

Author Comment

by:MODR100
ID: 20332824
i have sp3 installed
i started logging and get this
------------------------------------------------------
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Destination: Local Host ( *.*.*.*:8080)
Protocol: HTTP Proxy
•      Number of bytes sent: 427 Number of bytes received: 1081
•      Processing time: 0ms Original Client IP: *.*.*.*
0
 

Author Comment

by:MODR100
ID: 20333075
this message appear in log
12202 The ISA Server denied the specified Uniform Resource Locator (URL).

whan itry to access yahoo login it starts handshaking but doesnt comlete that
and access denied
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 20333370
i think you can also get the blocked URL from the ISA log. can you please let us know that?
0
 

Author Comment

by:MODR100
ID: 20333700
i allowed every thing
this result from the log:
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: Default rule
Source: Internal
Destination: External
Request: login.yahoo.com:443
Filter information: Req ID: 05bc0b0f; Req ID: 05bc0b0f
Protocol: SSL-tunnel
User: anonymous
•      Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
•      Object source: Internet Processing time: 0
•      Cache info: 0x0 MIME type:
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20335834
No, you haven't allowed everything.

When something is blocked bty the default rule, it means that the request did nit meet the conditions set in any of the higher rules.

Where are you running the request from, an internal client or the ISA itself?
What authentication have you placed on the outbound rule? All users? Authenticated users? An Ad group?
Note that the request that was sent was named as anonymous so this would only work using the all users authentication unless you have the ISA firewall client installede.
0
 

Author Comment

by:MODR100
ID: 20344893
Dear i opened all protocols but filter at the contents type
to test i enabled all default content types
all allowed users allowed to to internet without authentication
firewall client also installed on an internal pc for test
i can access any site that dont need auth
i cannot login to yahoo or hotmail????????????
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20345215
Please post a copy of the log output from the log screen so I can see what is being returned.
0
 

Author Comment

by:MODR100
ID: 20345325
i have one web acces rule and i enabled content filtering
can i enable content filtering on a rule that enable http and https?????
when delete the old rule and make new two rules
one for http with content filter
and another rule for https without content filtering it works ok
the question
can i enable content filter on a rul that allow http and https?????????????
0
 

Author Comment

by:MODR100
ID: 20345361
this is the output
dest.ip   dest.port   protocol      action      rule    client ip   client uname    url
proxyIP-443            ssl-tunnel    denied   default   -     anonymous  login.yahoo.com
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 20345428
It is best to make seperate rules for each when you are filtering by content types.

Content filtering works for the rule that the filter is applied to only.
For example, if you gad four http rules and you applied a conternt filter on rule 2, this would not be applied to rules 1, 3 & 4 - only rule 2.
Filter rules must appear before allow all content-type rules.

I have tried it here - I also get an error when trying to go to https://login.yahoo.com. The error is a type 995 (the application requested that the connection be dropped). I get a failed message in my isa log rather than a denied message.

0.0.0.0      Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)      Yes      Proxy            login.yahoo.com      TCP                  Internet      -      -            -      Req ID: 0ace7beb; Compression: client=No, server=No, compress rate=0% decompress rate=0%      -      -      -      25/11/2007 12:37:35      0      0      8090      680      0x0      0x8            25/11/2007 12:37:35      192.168.0.67      217.12.8.76      443      SSL-tunnel      Failed Connection Attempt      Allow Outbound All protocols            995 The I/O operation has been aborted because of either a thread exit or an application request.       anonymous      Internal      External      login.yahoo.com:443      HOST1      Web Proxy Filter
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20699001
Forced accept.

Computer101
EE Admin
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now