Solved

Web content types / mime type filter problem

Posted on 2007-11-21
15
1,508 Views
Last Modified: 2012-05-05
I have Isa server 2004
used just for web access
content types filtering is set for "selected content types" in the access rule properties
i selected all the default content types "applications.........,vrml"
every thing gos ok but
when i try to open any site need username and password a get amessage
"Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). '
i think i have to add another mime content type butu what i need to add in this situation??????????
users cannot access mail.yahoo.com or login to hotmail boxes
i need your suggestions plz..
0
Comment
Question by:MODR100
  • 7
  • 4
  • 2
  • +1
15 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 20327443
it sounds that the mentioned sites need SSL. are you sure you have enabled outgoing HTTPS traffic (both URL based and TCP based)?
0
 

Author Comment

by:MODR100
ID: 20327529
i opened th "All outbound traffic" and the problem continues
if i allow " All content types" the problem disapeer / i dont naeed this
if i allow " the selected content list" cannot access yahoomail or hotmail
i think the problem is in the content type mime because any site need user name and password denied by the isa 2004 server
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330353
Make swure you have installed service pack 3 for ISA2004.
Open the ISA gui, select monitoring - logging - click on start query to start the realtime log.

Make the connection attempt and watch for the denied messages when you visit whatever sigte it is you are trying.
Stop the query.

Hightlight one of the denied message lines.
Open the bottom section of the log screen and then clicl on the + symbol to droill down and see what the http headers are that were blocked.

Keith
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:MODR100
ID: 20332824
i have sp3 installed
i started logging and get this
------------------------------------------------------
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Destination: Local Host ( *.*.*.*:8080)
Protocol: HTTP Proxy
•      Number of bytes sent: 427 Number of bytes received: 1081
•      Processing time: 0ms Original Client IP: *.*.*.*
0
 

Author Comment

by:MODR100
ID: 20333075
this message appear in log
12202 The ISA Server denied the specified Uniform Resource Locator (URL).

whan itry to access yahoo login it starts handshaking but doesnt comlete that
and access denied
0
 
LVL 37

Expert Comment

by:bbao
ID: 20333370
i think you can also get the blocked URL from the ISA log. can you please let us know that?
0
 

Author Comment

by:MODR100
ID: 20333700
i allowed every thing
this result from the log:
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: Default rule
Source: Internal
Destination: External
Request: login.yahoo.com:443
Filter information: Req ID: 05bc0b0f; Req ID: 05bc0b0f
Protocol: SSL-tunnel
User: anonymous
•      Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
•      Object source: Internet Processing time: 0
•      Cache info: 0x0 MIME type:
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20335834
No, you haven't allowed everything.

When something is blocked bty the default rule, it means that the request did nit meet the conditions set in any of the higher rules.

Where are you running the request from, an internal client or the ISA itself?
What authentication have you placed on the outbound rule? All users? Authenticated users? An Ad group?
Note that the request that was sent was named as anonymous so this would only work using the all users authentication unless you have the ISA firewall client installede.
0
 

Author Comment

by:MODR100
ID: 20344893
Dear i opened all protocols but filter at the contents type
to test i enabled all default content types
all allowed users allowed to to internet without authentication
firewall client also installed on an internal pc for test
i can access any site that dont need auth
i cannot login to yahoo or hotmail????????????
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20345215
Please post a copy of the log output from the log screen so I can see what is being returned.
0
 

Author Comment

by:MODR100
ID: 20345325
i have one web acces rule and i enabled content filtering
can i enable content filtering on a rule that enable http and https?????
when delete the old rule and make new two rules
one for http with content filter
and another rule for https without content filtering it works ok
the question
can i enable content filter on a rul that allow http and https?????????????
0
 

Author Comment

by:MODR100
ID: 20345361
this is the output
dest.ip   dest.port   protocol      action      rule    client ip   client uname    url
proxyIP-443            ssl-tunnel    denied   default   -     anonymous  login.yahoo.com
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 20345428
It is best to make seperate rules for each when you are filtering by content types.

Content filtering works for the rule that the filter is applied to only.
For example, if you gad four http rules and you applied a conternt filter on rule 2, this would not be applied to rules 1, 3 & 4 - only rule 2.
Filter rules must appear before allow all content-type rules.

I have tried it here - I also get an error when trying to go to https://login.yahoo.com. The error is a type 995 (the application requested that the connection be dropped). I get a failed message in my isa log rather than a denied message.

0.0.0.0      Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)      Yes      Proxy            login.yahoo.com      TCP                  Internet      -      -            -      Req ID: 0ace7beb; Compression: client=No, server=No, compress rate=0% decompress rate=0%      -      -      -      25/11/2007 12:37:35      0      0      8090      680      0x0      0x8            25/11/2007 12:37:35      192.168.0.67      217.12.8.76      443      SSL-tunnel      Failed Connection Attempt      Allow Outbound All protocols            995 The I/O operation has been aborted because of either a thread exit or an application request.       anonymous      Internal      External      login.yahoo.com:443      HOST1      Web Proxy Filter
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20699001
Forced accept.

Computer101
EE Admin
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question