Solved

What are the risks of removing HTTP "web proxy filter" from ISA 2006

Posted on 2010-09-20
24
3,771 Views
Last Modified: 2012-05-10
SO I've been fighting for a week or so trying to get ISA setup, and keep getting this error

Error Code 12206: Proxy chain loop
Background: The gateway has detected a proxy chain loop. This condition might indicate a configuration problem on a proxy server.
Date: 9/21/2010 12:26:37 AM [GMT]
Server: XXXXX-xxxxx
Source: Proxy    

have tried like a million(slight exageration) rules, and NIC settings, trying to use the machine as it's own proxy, reversing NIC binding orders on and on.

I can get past this by disableing "web proxy filter" on the HTTP protocal but what is the risk of doing so? it just seems like something I don't want to turn off.

what am I loosing in terms of security and accountability by removing this filter?

the technet article I found the web proxy filter work around, says :  The disadvantage of this workaround is that outbound HTTP requests from SecureNAT and Firewall clients will then go directly to the Web server instead of being redirected to the Web Proxy filter. Such requests will not be served from the cache, and HTTP application layer filtering will not be applied.

does this mean I'll not be able to block sites, or monitor/block web content?

0
Comment
Question by:R. Andrew Koffron
  • 11
  • 8
  • 3
  • +1
24 Comments
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 33724209
Make sure that you don't assign gateway in the internal NIC and also in advanced setting of the Network Connection, make sure that the internal network is the first in the order.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 250 total points
ID: 33724367
What it means is that for http and https traffic, you lose the ability to monitor traffic at the application layer and can only inspect it at layer 3 and 4. For example, you can still block sites going to a particular URL or domain but cannot inspect http/https traffic deep-down and dirty.

There are users of ISA out there who turn off the web proxy by design - more fool them as this makes the ISA an extremely expensive product for limited benefit - but if you want to use the ISA to its maximum you leave the web proxy enabled.

Requests from a purely secureNAT client are not going to use the web proxy anyway. To fully use the web proxy filter requires the setting of the web proxy configuration within the web browser proxy tab.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
ID: 33730530
it seemed like a bad Idea to remove, but I can't seem to get around the proxy loop error with it enabled.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 29

Expert Comment

by:pwindell
ID: 33738446
have tried like a  million(slight exageration) rules, and NIC settings, trying to use the  machine as it's own proxy, reversing NIC binding orders on and on.

Then that is probably your problem.  You're tried too many,...and probably all wrong.  Let's stop chasing our tails around in circles because no one knows exactly what you configured or failed to configure.

Thousands of people run TMG and don't have your problems.   It is clearly an issue of an incorrect configuration,...but since you have not clearly described your configuration we have nothing to point at to say "There it is.."

Here's a list of some obvious things:

1. If there is no upstream proxy "above" you then do not configure Proxy Chaining anywhere,...none,...nowhere.  You can't have a proxy chain if there is no 2nd proxy to chain to.

2.  Binding order,...Internal first, intermediate nics second, third, etc,....External after all the other normal nics.   No fuzzyness, no compromises,...that is exactly how it should be

3. TMG should not use itself as a Web Proxy,...but it won't break anything if it does

4. TMG should never have the TMG Client installed on it,...ever.

5. Internal Nic:
IP: <proper LAN IP#>
Mask: <proper mask>
Gateway: None,...absolutely None,  no exceptions!
DNS:  <IP of the AD DNS>,...nothing else,...no exceptions!

Intermediate Nics (if such exist)
IP: <proper IP#>
Mask: <proper mask>
Gateway: None,...absolutely None,  no exceptions!
DNS:  None,...absolutely None,  no exceptions!

External Nic
IP: <proper IP#>
Mask: <proper mask>
Gateway: <proper gateway IP#>  This is the only Nic with a Gateway!
DNS:  None,...absolutely None,  no exceptions!

Internal Network Defintion
List all IP Ranges on the LAN,...if multiple subnets,...include them all

Static Routes
If a particular Network Defintion (like Internal) contains multiple Subnets, then a Static Route is needed to tell the TMG what gateway to use to reach them.

Access Rules
The very first Access Rule at the top of the Rule List needs to be a Rule that allows the AD/DNS to make outbound DNS Queries.  What you create below that is up to you and your goals.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33738558
Phil - see the previous question about configuring SBS and using ISA - you will see the issue within a few seconds. I've already tried explaining how the nics and dns should be setup but obviously I didn't do a very good job of it.
0
 
LVL 29

Assisted Solution

by:pwindell
pwindell earned 250 total points
ID: 33743888
I understand what you are saying.  I was just going for what I think the real issue he should be looking at.  I don't think disabling the Filter is even the right conversation,...he should be looking at the root cause of the Chain Loop error.  Disabling the HTTP FIlter might make the the error "go away" but does not really solve the problem that caused it.  I dont' know the exact cause of the error in this case, so I just listed a sort of "best practices" list of things to make right and see if that exposes the cause of the problem.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
ID: 33745020
Sorry for the slow response I was on the road all day yesterday.

I've been saying for the whole time and all 3 related questions. I'm not getting something, I'm failing to understand a step, I'm missing something. I have read the documents,  I've deployed a couple ISA servers before and never had this sort of trouble.  it's been a few years so I don't remember everything.

@pwindell your instructions, are EXACTLY how I have all the basics, and almost exactly how I had it setup at initially. all the twists and turns and weird setups have been trying to figure out why the TMG can't get on the net unless I disable the web proxy filter
I did not attempt to use the TMG as a proxy UNTILL i was trying to troubleshoot a denied access error, once I set the TMG to use itself as a proxy, the proxy loop error comes up and won't go away even after removing the proxy entry

@keith_alabaster I am not an expert at ISA that's why I asked the freaking question, I thought the whole point of expert's exchange was to get help. share knowledge and HELP each other, so far all you've done is tell me to read the docs, acted like my problems is "SOOOO OBVIOUS" and I'm stupid,  and over and over over i have but still have these errors, and over and over you tell me to read the docs. THEN you tell me to mail you off list, and I do it twice and get both messages ignored. so I'm back on the list, BECAUSE I'M NOT UNDERSTANDING SOMETHING AND NEED HELP!

0
 
LVL 16

Author Comment

by:R. Andrew Koffron
ID: 33745475
@pwindell by the way, thanks for understanding that my goal is to get this working without removing the web proxy filter. I do want to end up with the best ISA server setup I can.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
ID: 33746253
Here was the Original IPConfig
Ethernet adapter Internal:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : D-Link DGE-530T Gigabit Ethernet Adapter(rev.B)
   Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.202.254
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.202.253
 
Ethernet adapter External:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Linksys EG1032 v3 Instant Gigabit Desktop Network Adapter Driver
   Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : x.x.x.92
   Subnet Mask . . . . . . . . . . . : 255.255.255.248
   Default Gateway . . . . . . . . . : x.x.x.94
   DNS Servers . . . . . . . . . . . : 192.168.202.253
 
Installed ISA server, and ran Edge Firewall wizard.

now it's the same except I removed the DNS server from the external NIC
Internal is the top of the binding list.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33747052
I don't think Keith's intent was as you are thinking.  With the number of questions he an I review it is hard to always spend a lot of time with just one question,...and so it may sometimes seems like we just telling you to go read the Docs,...and sometimes, yes, we get impatient sometimes.  As far as him not getting back to you, he has a very demanding, and maybe a bit overwhelming, job in the "real world" over in the UK.  Something could have came up there that has him short on time.  The time spent (when we have the time) in Experts Exchange is donated for free,...we don't get paid anything for this other than a T-Shirt once in a while.
Anyway, all I can think of at this point is to look for some KB Articles that may address the issue,...I don't know of any off the top of my head so I'll have to look around.  I'll posts the links if I find anything.  Removing the DNS from the second nic is good.  It wouldn't hurt to double check those specs and see if anything was overlooked,...particularly any "proxy chaining" configuration that might need removed.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
ID: 33747177
I just get pissed with the comments like "Phil - see the previous question about configuring SBS and using ISA - you will see the issue within a few seconds. I've already tried explaining how the nics and dns should be setup but obviously I didn't do a very good job of it.". if I've screwed up so bad why not just put in the obvious one second answer. It's like he see's how to fix but would rather be a smarty pants than give the answer.

I've read every EVERYTHING he suggested, and tried EVERY suggestion he's made as close to the letter as possible, and I've freely admitted I might be "just not getting it" on some fine point.

Please post a comment into the other question. this one was for whether or not removing web proxy filter was an acceptable course of action. and you and keith did answer that.
http://www.experts-exchange.com/Microsoft/Windows_Security/Q_26484290.html

now I'm back to troubleshooting the proxy error,
all the technet stuff I read just says to uncheck it. or to make a work around ruleset (that I will try in a bit if I can't find an actual fix)
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33747208
What I have found so far indicates that disabling the HTTP Filter is valid when a real proxy loop turely exists.  
So if you are not trying to run a chained proxy situation then the Filter should not be disabled.  So it keeps comming back to something in you config that is creating a loop.  One common way for this to happen is with 3rd party add-ons on the ISA that act as their own proxy.  For example (from some material that I found):
Problem: You are running a third-party proxy application on the same computer as ISA Server, with the following settings: Clients make Web requests to ISA Server (port 8080).
ISA Server has a Web chaining rule configured, to direct traffic upstream to the second Web Proxy application on an alternative port (for example, port 8082).

The client receives a 12206 error: ISA Server detected a proxy chain loop.
Cause: ISA Server receives a Web request on port 8080 and redirects it to port 8082. The third-party proxy application receives the request on port 8082, and sends it to port 80 as an HTTP request.
ISA Server intercepts the traffic on port 80 as a transparent proxy request, and passes it to the Web Proxy filter. This causes traffic to be directed upstream again, causing a proxy chain loop. This is detected when ISA Server receives the request for the third time, and returns an error.

0
 
LVL 16

Author Comment

by:R. Andrew Koffron
ID: 33747319
haha, you guys probably don't care about points anymore but it's all I am able to do to show that I do appreciate the time and effort people put in. and I want my points when I spend time with people.  I really do appreciate the the time spent, EE should make a "spend em a beer" option :)
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33747356
No problem.  
Post what you find if you find anything new.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
ID: 33747443
clean install of 2003,
Nod32 AntiVirus,
service packed to SP2 (for ISA install) ,
NICs set as above.
ISA 2006 installed.
Edge firewall Wizard,
now I've disabled the web proxy filter and the machine is fully patched

I did not add any 3rd party stuff, or do anything "fancy" (fancy usually means dumb unless you know a product hands down), part of why I'm so frustrated this just seems like a bug. and MS wants 250 to issue a case on it.

there is no other proxy in front of it I'm aware of (ISP assigned IPs), and surely nothing I entered that's a loop.

I didn't do anything at all with chaining.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33747545
Out of 1000's of installs,...I have never seen an ISA do this.  I have never ever had to disable the HTTP Filter.  I don't know what to tell you.  
In the grand scheme of things the $250 isn't a big deal (even I as an MS MVP have to pay it).  Most companies make you pay around $1200 dollars per year for the privledge of being able to call their tech support,...that's $100 a month even if you never call them,...and it has to be paid yearly,..over, and over, and over, and over.  At least with MS you're not paying anything if you aren't actually using them with a case.  
Not saying I love paying them anything,...I hate it too,...but viewing it in the big picture,...it isn't so bad.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33747558
I'm probably going to be away from the desk for a few hours.  The "real world" is calling with my "real" job.
 
0
 
LVL 16

Author Closing Comment

by:R. Andrew Koffron
ID: 33757755
closing this again, the question here was what are the risks of running without the web proxy filter, and you gave the most complete and informative answer. so use your admistravie privledge to move the points or accept them but not liking you has nothing to do with who gets the points.  I think your a jerk, but you still answered this question.  I'm splitting the points because the underleing problem is as I suspected an additional good reason to not ignore the error. and pwindell in my opinion deserves part of the points. do as you see fit, but I will only close this as a split. if you don't like it for personal reasons you change it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 33759692
lol - and I think you are a liability :) but it is your company so how you do things on your own system is obviously your call. Let's just respect the fact that we are not going to be 'best friends'.
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
ID: 33759753
I've tried every suggestion you made, and read everything you suggested, I freely admit I might be misunderstanding something. and am seeking the advice needed to correct the issue.  And in spite of not liking you, I've awarded points to you (as was right), because your advice is good, but you act like I've ignored something, or refused to listen, and neither of those things are the case. It's probably an obvious answer right in front of me. but in spite of following your advice the problem remains, and if there is an obvious mistake you don't seem willing to point it out in any direct manner, so I continue to seek the fix and to make the machine solid before implementing it as a live security device. I don't see how that's a liability.

You told me to mail you off list, and I did and waited 2 days for a reply, before continuing and trying to open another question. than you come in and post your "you'll see the problem in a couple seconds" crap but are still unwilling to point it out to me.

So if I'm not getting something, or misunderstanding something basic reading the docs a 10th time isn't going to solve my misunderstanding.

so cheer up, now I'm going to have shell out 250.00 to get it sorted, and you can feel good knowing your petty anger at someone not getting it, will cost them money. and you can smirk and laugh all day cause you could have sorted it but refuse to. kudos your a stud. and a great example of what a section moderator should be!
0
 
LVL 16

Author Comment

by:R. Andrew Koffron
ID: 33828058
the problem was nod32 http scanning.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33830949
Nod32 http scanning. Yes, I can see that happening if the AV creates it's own "http proxy".  That is exactly as the description given in the material I found earlier (quoted below):

Problem: You are running a third-party proxy application on the same computer as ISA Server, with the following settings: Clients make Web requests to ISA Server (port 8080).
ISA Server has a Web chaining rule configured, to direct traffic upstream to the second Web Proxy application on an alternative port (for example, port 8082).

The client receives a 12206 error: ISA Server detected a proxy chain loop.
Cause: ISA Server receives a Web request on port 8080 and redirects it to port 8082. The third-party proxy application receives the request on port 8082, and sends it to port 80 as an HTTP request.
ISA Server intercepts the traffic on port 80 as a transparent proxy request, and passes it to the Web Proxy filter. This causes traffic to be directed upstream again, causing a proxy chain loop. This is detected when ISA Server receives the request for the third time, and returns an error.

0
 
LVL 16

Author Comment

by:R. Andrew Koffron
ID: 33832592
well I feel better at least that it wasn't anything I was doing wrong, and that I wasn't mis-understanding the instructions.  I wanted to strangle the Microsoft guy, when he said "oh look nod32, turn off the http scanning"  in like 30 seconds, as many times as I read all the docs and tryed to get help, you'd think MS would at least have something documented that says,  don't use http virus scanning technology.

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Using PowerShell for Windows Firewall #2 21 494
ACAS / Nessus 2 134
Can cell phone tracking be initiated by opening a text? 15 101
Hardening ScreenOS 8 109
In every aspect, security is essential for your business, and for that matter you need to always keep an eye on it. The same can be said about your computer network system too. Your computer network is prone to various malware and security threats t…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question