Solved

Web content types / mime type filter problem

Posted on 2007-11-21
15
1,503 Views
Last Modified: 2012-05-05
I have Isa server 2004
used just for web access
content types filtering is set for "selected content types" in the access rule properties
i selected all the default content types "applications.........,vrml"
every thing gos ok but
when i try to open any site need username and password a get amessage
"Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). '
i think i have to add another mime content type butu what i need to add in this situation??????????
users cannot access mail.yahoo.com or login to hotmail boxes
i need your suggestions plz..
0
Comment
Question by:MODR100
  • 7
  • 4
  • 2
  • +1
15 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 20327443
it sounds that the mentioned sites need SSL. are you sure you have enabled outgoing HTTPS traffic (both URL based and TCP based)?
0
 

Author Comment

by:MODR100
ID: 20327529
i opened th "All outbound traffic" and the problem continues
if i allow " All content types" the problem disapeer / i dont naeed this
if i allow " the selected content list" cannot access yahoomail or hotmail
i think the problem is in the content type mime because any site need user name and password denied by the isa 2004 server
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330353
Make swure you have installed service pack 3 for ISA2004.
Open the ISA gui, select monitoring - logging - click on start query to start the realtime log.

Make the connection attempt and watch for the denied messages when you visit whatever sigte it is you are trying.
Stop the query.

Hightlight one of the denied message lines.
Open the bottom section of the log screen and then clicl on the + symbol to droill down and see what the http headers are that were blocked.

Keith
0
 

Author Comment

by:MODR100
ID: 20332824
i have sp3 installed
i started logging and get this
------------------------------------------------------
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Destination: Local Host ( *.*.*.*:8080)
Protocol: HTTP Proxy
•      Number of bytes sent: 427 Number of bytes received: 1081
•      Processing time: 0ms Original Client IP: *.*.*.*
0
 

Author Comment

by:MODR100
ID: 20333075
this message appear in log
12202 The ISA Server denied the specified Uniform Resource Locator (URL).

whan itry to access yahoo login it starts handshaking but doesnt comlete that
and access denied
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 20333370
i think you can also get the blocked URL from the ISA log. can you please let us know that?
0
 

Author Comment

by:MODR100
ID: 20333700
i allowed every thing
this result from the log:
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: Default rule
Source: Internal
Destination: External
Request: login.yahoo.com:443
Filter information: Req ID: 05bc0b0f; Req ID: 05bc0b0f
Protocol: SSL-tunnel
User: anonymous
•      Client agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
•      Object source: Internet Processing time: 0
•      Cache info: 0x0 MIME type:
0
Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20335834
No, you haven't allowed everything.

When something is blocked bty the default rule, it means that the request did nit meet the conditions set in any of the higher rules.

Where are you running the request from, an internal client or the ISA itself?
What authentication have you placed on the outbound rule? All users? Authenticated users? An Ad group?
Note that the request that was sent was named as anonymous so this would only work using the all users authentication unless you have the ISA firewall client installede.
0
 

Author Comment

by:MODR100
ID: 20344893
Dear i opened all protocols but filter at the contents type
to test i enabled all default content types
all allowed users allowed to to internet without authentication
firewall client also installed on an internal pc for test
i can access any site that dont need auth
i cannot login to yahoo or hotmail????????????
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20345215
Please post a copy of the log output from the log screen so I can see what is being returned.
0
 

Author Comment

by:MODR100
ID: 20345325
i have one web acces rule and i enabled content filtering
can i enable content filtering on a rule that enable http and https?????
when delete the old rule and make new two rules
one for http with content filter
and another rule for https without content filtering it works ok
the question
can i enable content filter on a rul that allow http and https?????????????
0
 

Author Comment

by:MODR100
ID: 20345361
this is the output
dest.ip   dest.port   protocol      action      rule    client ip   client uname    url
proxyIP-443            ssl-tunnel    denied   default   -     anonymous  login.yahoo.com
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 20345428
It is best to make seperate rules for each when you are filtering by content types.

Content filtering works for the rule that the filter is applied to only.
For example, if you gad four http rules and you applied a conternt filter on rule 2, this would not be applied to rules 1, 3 & 4 - only rule 2.
Filter rules must appear before allow all content-type rules.

I have tried it here - I also get an error when trying to go to https://login.yahoo.com. The error is a type 995 (the application requested that the connection be dropped). I get a failed message in my isa log rather than a denied message.

0.0.0.0      Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; .NET CLR 1.1.4322)      Yes      Proxy            login.yahoo.com      TCP                  Internet      -      -            -      Req ID: 0ace7beb; Compression: client=No, server=No, compress rate=0% decompress rate=0%      -      -      -      25/11/2007 12:37:35      0      0      8090      680      0x0      0x8            25/11/2007 12:37:35      192.168.0.67      217.12.8.76      443      SSL-tunnel      Failed Connection Attempt      Allow Outbound All protocols            995 The I/O operation has been aborted because of either a thread exit or an application request.       anonymous      Internal      External      login.yahoo.com:443      HOST1      Web Proxy Filter
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20699001
Forced accept.

Computer101
EE Admin
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now