Solved

What are the risks of removing HTTP "web proxy filter" from ISA 2006

Posted on 2010-09-20
24
3,680 Views
Last Modified: 2012-05-10
SO I've been fighting for a week or so trying to get ISA setup, and keep getting this error

Error Code 12206: Proxy chain loop
Background: The gateway has detected a proxy chain loop. This condition might indicate a configuration problem on a proxy server.
Date: 9/21/2010 12:26:37 AM [GMT]
Server: XXXXX-xxxxx
Source: Proxy    

have tried like a million(slight exageration) rules, and NIC settings, trying to use the machine as it's own proxy, reversing NIC binding orders on and on.

I can get past this by disableing "web proxy filter" on the HTTP protocal but what is the risk of doing so? it just seems like something I don't want to turn off.

what am I loosing in terms of security and accountability by removing this filter?

the technet article I found the web proxy filter work around, says :  The disadvantage of this workaround is that outbound HTTP requests from SecureNAT and Firewall clients will then go directly to the Web server instead of being redirected to the Web Proxy filter. Such requests will not be served from the cache, and HTTP application layer filtering will not be applied.

does this mean I'll not be able to block sites, or monitor/block web content?

0
Comment
Question by:R. Andrew Koffron
  • 11
  • 8
  • 3
  • +1
24 Comments
 
LVL 6

Expert Comment

by:Hisham_Elkouha
Comment Utility
Make sure that you don't assign gateway in the internal NIC and also in advanced setting of the Network Connection, make sure that the internal network is the first in the order.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
Comment Utility
What it means is that for http and https traffic, you lose the ability to monitor traffic at the application layer and can only inspect it at layer 3 and 4. For example, you can still block sites going to a particular URL or domain but cannot inspect http/https traffic deep-down and dirty.

There are users of ISA out there who turn off the web proxy by design - more fool them as this makes the ISA an extremely expensive product for limited benefit - but if you want to use the ISA to its maximum you leave the web proxy enabled.

Requests from a purely secureNAT client are not going to use the web proxy anyway. To fully use the web proxy filter requires the setting of the web proxy configuration within the web browser proxy tab.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
it seemed like a bad Idea to remove, but I can't seem to get around the proxy loop error with it enabled.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
have tried like a  million(slight exageration) rules, and NIC settings, trying to use the  machine as it's own proxy, reversing NIC binding orders on and on.

Then that is probably your problem.  You're tried too many,...and probably all wrong.  Let's stop chasing our tails around in circles because no one knows exactly what you configured or failed to configure.

Thousands of people run TMG and don't have your problems.   It is clearly an issue of an incorrect configuration,...but since you have not clearly described your configuration we have nothing to point at to say "There it is.."

Here's a list of some obvious things:

1. If there is no upstream proxy "above" you then do not configure Proxy Chaining anywhere,...none,...nowhere.  You can't have a proxy chain if there is no 2nd proxy to chain to.

2.  Binding order,...Internal first, intermediate nics second, third, etc,....External after all the other normal nics.   No fuzzyness, no compromises,...that is exactly how it should be

3. TMG should not use itself as a Web Proxy,...but it won't break anything if it does

4. TMG should never have the TMG Client installed on it,...ever.

5. Internal Nic:
IP: <proper LAN IP#>
Mask: <proper mask>
Gateway: None,...absolutely None,  no exceptions!
DNS:  <IP of the AD DNS>,...nothing else,...no exceptions!

Intermediate Nics (if such exist)
IP: <proper IP#>
Mask: <proper mask>
Gateway: None,...absolutely None,  no exceptions!
DNS:  None,...absolutely None,  no exceptions!

External Nic
IP: <proper IP#>
Mask: <proper mask>
Gateway: <proper gateway IP#>  This is the only Nic with a Gateway!
DNS:  None,...absolutely None,  no exceptions!

Internal Network Defintion
List all IP Ranges on the LAN,...if multiple subnets,...include them all

Static Routes
If a particular Network Defintion (like Internal) contains multiple Subnets, then a Static Route is needed to tell the TMG what gateway to use to reach them.

Access Rules
The very first Access Rule at the top of the Rule List needs to be a Rule that allows the AD/DNS to make outbound DNS Queries.  What you create below that is up to you and your goals.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Phil - see the previous question about configuring SBS and using ISA - you will see the issue within a few seconds. I've already tried explaining how the nics and dns should be setup but obviously I didn't do a very good job of it.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
Comment Utility
I understand what you are saying.  I was just going for what I think the real issue he should be looking at.  I don't think disabling the Filter is even the right conversation,...he should be looking at the root cause of the Chain Loop error.  Disabling the HTTP FIlter might make the the error "go away" but does not really solve the problem that caused it.  I dont' know the exact cause of the error in this case, so I just listed a sort of "best practices" list of things to make right and see if that exposes the cause of the problem.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
Sorry for the slow response I was on the road all day yesterday.

I've been saying for the whole time and all 3 related questions. I'm not getting something, I'm failing to understand a step, I'm missing something. I have read the documents,  I've deployed a couple ISA servers before and never had this sort of trouble.  it's been a few years so I don't remember everything.

@pwindell your instructions, are EXACTLY how I have all the basics, and almost exactly how I had it setup at initially. all the twists and turns and weird setups have been trying to figure out why the TMG can't get on the net unless I disable the web proxy filter
I did not attempt to use the TMG as a proxy UNTILL i was trying to troubleshoot a denied access error, once I set the TMG to use itself as a proxy, the proxy loop error comes up and won't go away even after removing the proxy entry

@keith_alabaster I am not an expert at ISA that's why I asked the freaking question, I thought the whole point of expert's exchange was to get help. share knowledge and HELP each other, so far all you've done is tell me to read the docs, acted like my problems is "SOOOO OBVIOUS" and I'm stupid,  and over and over over i have but still have these errors, and over and over you tell me to read the docs. THEN you tell me to mail you off list, and I do it twice and get both messages ignored. so I'm back on the list, BECAUSE I'M NOT UNDERSTANDING SOMETHING AND NEED HELP!

0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
@pwindell by the way, thanks for understanding that my goal is to get this working without removing the web proxy filter. I do want to end up with the best ISA server setup I can.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
Here was the Original IPConfig
Ethernet adapter Internal:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : D-Link DGE-530T Gigabit Ethernet Adapter(rev.B)
   Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.202.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.202.253
 
Ethernet adapter External:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Linksys EG1032 v3 Instant Gigabit Desktop Network Adapter Driver
   Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : x.x.x.92
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : x.x.x.94
   DNS Servers . . . . . . . . . . . : 192.168.202.253
 
Installed ISA server, and ran Edge Firewall wizard.

now it's the same except I removed the DNS server from the external NIC
Internal is the top of the binding list.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
I don't think Keith's intent was as you are thinking.  With the number of questions he an I review it is hard to always spend a lot of time with just one question,...and so it may sometimes seems like we just telling you to go read the Docs,...and sometimes, yes, we get impatient sometimes.  As far as him not getting back to you, he has a very demanding, and maybe a bit overwhelming, job in the "real world" over in the UK.  Something could have came up there that has him short on time.  The time spent (when we have the time) in Experts Exchange is donated for free,...we don't get paid anything for this other than a T-Shirt once in a while.
Anyway, all I can think of at this point is to look for some KB Articles that may address the issue,...I don't know of any off the top of my head so I'll have to look around.  I'll posts the links if I find anything.  Removing the DNS from the second nic is good.  It wouldn't hurt to double check those specs and see if anything was overlooked,...particularly any "proxy chaining" configuration that might need removed.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
I just get pissed with the comments like "Phil - see the previous question about configuring SBS and using ISA - you will see the issue within a few seconds. I've already tried explaining how the nics and dns should be setup but obviously I didn't do a very good job of it.". if I've screwed up so bad why not just put in the obvious one second answer. It's like he see's how to fix but would rather be a smarty pants than give the answer.

I've read every EVERYTHING he suggested, and tried EVERY suggestion he's made as close to the letter as possible, and I've freely admitted I might be "just not getting it" on some fine point.

Please post a comment into the other question. this one was for whether or not removing web proxy filter was an acceptable course of action. and you and keith did answer that.
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26484290.html

now I'm back to troubleshooting the proxy error,
all the technet stuff I read just says to uncheck it. or to make a work around ruleset (that I will try in a bit if I can't find an actual fix)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 29

Expert Comment

by:pwindell
Comment Utility
What I have found so far indicates that disabling the HTTP Filter is valid when a real proxy loop turely exists.  
So if you are not trying to run a chained proxy situation then the Filter should not be disabled.  So it keeps comming back to something in you config that is creating a loop.  One common way for this to happen is with 3rd party add-ons on the ISA that act as their own proxy.  For example (from some material that I found):
Problem: You are running a third-party proxy application on the same computer as ISA Server, with the following settings: Clients make Web requests to ISA Server (port 8080).
ISA Server has a Web chaining rule configured, to direct traffic upstream to the second Web Proxy application on an alternative port (for example, port 8082).

The client receives a 12206 error: ISA Server detected a proxy chain loop.
Cause: ISA Server receives a Web request on port 8080 and redirects it to port 8082. The third-party proxy application receives the request on port 8082, and sends it to port 80 as an HTTP request.
ISA Server intercepts the traffic on port 80 as a transparent proxy request, and passes it to the Web Proxy filter. This causes traffic to be directed upstream again, causing a proxy chain loop. This is detected when ISA Server receives the request for the third time, and returns an error.

0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
haha, you guys probably don't care about points anymore but it's all I am able to do to show that I do appreciate the time and effort people put in. and I want my points when I spend time with people.  I really do appreciate the the time spent, EE should make a "spend em a beer" option :)
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
No problem.  
Post what you find if you find anything new.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
clean install of 2003,
Nod32 AntiVirus,
service packed to SP2 (for ISA install) ,
NICs set as above.
ISA 2006 installed.
Edge firewall Wizard,
now I've disabled the web proxy filter and the machine is fully patched

I did not add any 3rd party stuff, or do anything "fancy" (fancy usually means dumb unless you know a product hands down), part of why I'm so frustrated this just seems like a bug. and MS wants 250 to issue a case on it.

there is no other proxy in front of it I'm aware of (ISP assigned IPs), and surely nothing I entered that's a loop.

I didn't do anything at all with chaining.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Out of 1000's of installs,...I have never seen an ISA do this.  I have never ever had to disable the HTTP Filter.  I don't know what to tell you.  
In the grand scheme of things the $250 isn't a big deal (even I as an MS MVP have to pay it).  Most companies make you pay around $1200 dollars per year for the privledge of being able to call their tech support,...that's $100 a month even if you never call them,...and it has to be paid yearly,..over, and over, and over, and over.  At least with MS you're not paying anything if you aren't actually using them with a case.  
Not saying I love paying them anything,...I hate it too,...but viewing it in the big picture,...it isn't so bad.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
I'm probably going to be away from the desk for a few hours.  The "real world" is calling with my "real" job.
 
0
 
LVL 16

Author Closing Comment

by:R. Andrew Koffron
Comment Utility
closing this again, the question here was what are the risks of running without the web proxy filter, and you gave the most complete and informative answer. so use your admistravie privledge to move the points or accept them but not liking you has nothing to do with who gets the points.  I think your a jerk, but you still answered this question.  I'm splitting the points because the underleing problem is as I suspected an additional good reason to not ignore the error. and pwindell in my opinion deserves part of the points. do as you see fit, but I will only close this as a split. if you don't like it for personal reasons you change it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
lol - and I think you are a liability :) but it is your company so how you do things on your own system is obviously your call. Let's just respect the fact that we are not going to be 'best friends'.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
I've tried every suggestion you made, and read everything you suggested, I freely admit I might be misunderstanding something. and am seeking the advice needed to correct the issue.  And in spite of not liking you, I've awarded points to you (as was right), because your advice is good, but you act like I've ignored something, or refused to listen, and neither of those things are the case. It's probably an obvious answer right in front of me. but in spite of following your advice the problem remains, and if there is an obvious mistake you don't seem willing to point it out in any direct manner, so I continue to seek the fix and to make the machine solid before implementing it as a live security device. I don't see how that's a liability.

You told me to mail you off list, and I did and waited 2 days for a reply, before continuing and trying to open another question. than you come in and post your "you'll see the problem in a couple seconds" crap but are still unwilling to point it out to me.

So if I'm not getting something, or misunderstanding something basic reading the docs a 10th time isn't going to solve my misunderstanding.

so cheer up, now I'm going to have shell out 250.00 to get it sorted, and you can feel good knowing your petty anger at someone not getting it, will cost them money. and you can smirk and laugh all day cause you could have sorted it but refuse to. kudos your a stud. and a great example of what a section moderator should be!
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
the problem was nod32 http scanning.
0
 
LVL 29

Expert Comment

by:pwindell
Comment Utility
Nod32 http scanning. Yes, I can see that happening if the AV creates it's own "http proxy".  That is exactly as the description given in the material I found earlier (quoted below):

Problem: You are running a third-party proxy application on the same computer as ISA Server, with the following settings: Clients make Web requests to ISA Server (port 8080).
ISA Server has a Web chaining rule configured, to direct traffic upstream to the second Web Proxy application on an alternative port (for example, port 8082).

The client receives a 12206 error: ISA Server detected a proxy chain loop.
Cause: ISA Server receives a Web request on port 8080 and redirects it to port 8082. The third-party proxy application receives the request on port 8082, and sends it to port 80 as an HTTP request.
ISA Server intercepts the traffic on port 80 as a transparent proxy request, and passes it to the Web Proxy filter. This causes traffic to be directed upstream again, causing a proxy chain loop. This is detected when ISA Server receives the request for the third time, and returns an error.

0
 
LVL 16

Author Comment

by:R. Andrew Koffron
Comment Utility
well I feel better at least that it wasn't anything I was doing wrong, and that I wasn't mis-understanding the instructions.  I wanted to strangle the Microsoft guy, when he said "oh look nod32, turn off the http scanning"  in like 30 seconds, as many times as I read all the docs and tryed to get help, you'd think MS would at least have something documented that says,  don't use http virus scanning technology.

0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
EMAIL BANNER 8 25
why neglected? 3 60
Reading a syslog for a botnet 12 59
Virus or Ransom ware 6 321
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now