کد:
http://blogs.technet.com/isablog/archive/2009/09/09/behavioral-change-on-ie7-can-affect-outbound-access-through-isa-server-2006-that-is-using-redirect-on-a-deny-rule.aspx
Behavioral Change on IE7 can affect Outbound access through ISA Server 2006 that is using Redirect on a Deny Rule

1. Introduction

It is very common to firewall administrators to have deny rules to block traffic to some destination and sometimes instead of just exposing an error page to the end user they prefer to redirect the end user to a custom and friendlier page. This redirect is done by using the Deny/Redirect action in the access rule as shown below:


Figure 1 – Deny rule with a redirect to the destination page.

Note: for more information on the HTTP 302 redirect on ISA read How to Allow HTTP 301 through ISA Server 2006.


When the end user hits this rule ISA Server sends a HTTP 302 redirect as shown in the following working netmon trace:

10.20.20.200 10.20.20.2 HTTP HTTP:Request, GET Microsoft Corporation
- Http: Request, GET Microsoft Corporation
Command: GET
+ URI: Microsoft Corporation
ProtocolVersion: HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: Microsoft Corporation
ProxyConnection: Keep-Alive
HeaderEnd: CRLF

10.20.20.2 10.20.20.200 HTTP HTTP:Response, HTTP/1.1, Status Code = 302, URL: Microsoft Corporation
- Http: Response, HTTP/1.1, Status Code = 302, URL: Microsoft Corporation
ProtocolVersion: HTTP/1.1
StatusCode: 302, Moved temporarily
Reason: Object Moved
Date: Tue, 01 Sep 2009 12:36:26 GMT
Connection: close
ProxyConnection: close
ContentLength: 0
Location: http://dccont.contoso.msft
HeaderEnd: CRLF

For this specific example the following page appears as result of this redirect:


Figure 2 – Redirect to a custom page.

This is the behavior that the system administrator wants to accomplish with the settings that he has on ISA Server, however this post describes a potential problem that can happen when users using Internet Explorer 7 (and above) are trying to access a site that is located in the deny list using HTTPS.

2. Internet Explorer Cannot display the page

For this failing scenario the internal client (behind ISA Server) was trying to access https://mail.fabrikam.com and during that access the error below appeared:


Figure 3 – Error that client was receiving when trying to access the HTTPS site.

Using Network Monitor I capture the request to better understand why this was happening and at the same time I enabled ISA Logging. Here it is the result:

1. Client sends the request:

10.20.20.200 10.20.20.2 HTTP HTTP:Request, CONNECT mail.fabrikam.com:443
- Http: Request, CONNECT mail.fabrikam.com:443
Command: CONNECT
+ URI: mail.fabrikam.com:443
ProtocolVersion: HTTP/1.0
UserAgent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
ProxyConnection: Keep-Alive
ContentLength: 0
Host: mail.fabrikam.com
Pragma: no-cache
HeaderEnd: CRLF

2. ISA Server evaluates the request and identify that this URL belongs to the Domain Name set that the deny access rule is using and logs the following event in the Monitoring/Logging Page:


Figure 4 – ISA identifies that the destination URL belongs to a block list.

3. The access rule blocks the request and since it has an option to redirect the request to an internal server which has the error message that users should receive, the packet below is sent:


10.20.20.2 10.20.20.200 HTTP HTTP:Response, HTTP/1.1, Status Code = 302, URL: mail.fabrikam.com:443
- Http: Response, HTTP/1.1, Status Code = 302, URL: mail.fabrikam.com:443
ProtocolVersion: HTTP/1.1
StatusCode: 302, Moved temporarily
Reason: Object Moved
Date: Tue, 01 Sep 2009 12:39:45 GMT
Connection: close
ProxyConnection: close
ContentLength: 0
Location: http://dccont.contoso.msft
HeaderEnd: CRLF

4. For our surprise (since it was working on IE6 and other browsers) Internet Explorer 7 sends a FIN and doesn’t go out to the redirect page:

10.20.20.200 10.20.20.2 TCP TCP:Flags=...A...F, SrcPort=1359, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=3697209130, Ack=2998660669, Win=65368 (scale factor 0x0) = 65368

Collaborating with IE Team (thanks Michael Van Dao) we learned that this is expected due a behavioral change on IE 7 as it is explained in the post below:

http://blogs.msdn.com/askie/archive/2009/06/18/change-in-behavior-with-internet-explorer-7-and-later-in-regard-to-connect-requests.aspx

Starting with IE7, a behavior change has been made in how IE handles Server certain response codes to web browser connections that originate as a CONNECT request. Specifically, if a CONNECT request is made by IE to a Web Server and it receives a Server response to that CONNECT request with something other than 200, IE could reject that response as invalid (ERROR_HTTP_INVALID_SERVER_RESPONSE).

4. How to Block HTTPs without using Redirect?

One alternative to keep blocking access to the URL that you want and avoid the end user to receive a “page cannot be display” error is to create two rules on ISA Server. The plan is to handle all redirects with one rule that applies to all protocols except HTTPS, and the other rule would only apply to HTTPS and not use the redirect option.

These rules will be configured as follows:

Rule #1
·Type: Deny
·Protocols: All Protocols Except HTTPS (see Figure 5)
·Redirect Enabled.
·To: Domain Name Set or URL Set that has the list of unwanted URLs.


Figure 5 – Protocols that belongs to the rule first deny rule.

Note: It is very important to emphasize that by blocking all protocols you can also be affected by lack of DNS performance or DNS issue as explained in this post Forefront TMG (ISA Server) Product Team Blog : ISA Server 2006 stops answering requests.


Rule #2
·Type: Deny
·Protocols: HTTPS (see Figure 6)
·Redirect Disabled (see Figure7).
·To: Domain Name Set or URL Set that has the list of unwanted URLs.


Figure 6 – Protocols for the second deny rule.


Figure 7 – Action for the second deny rule

Here it is what will happen on this scenario when the client workstation tries to access https://mail.fabrikam.com/exchange:

1. Client sends the request:

10.20.20.200 isacontn2.contoso.msft HTTP HTTP:Request, CONNECT mail.fabrikam.com:443

2. ISA Server evaluates the request and sees that this request matches with the “My Block List – HTTPS” rule:


Figure 8 – ISA blocks the access using the HTTPS rule.

3. ISA Server then sends the HTTP 502 to the client workstation:

isacontn2.contoso.msft 10.20.20.200 HTTP HTTP:Response, HTTP/1.1, Status Code = 502, URL: mail.fabrikam.com:443
- Http: Response, HTTP/1.1, Status Code = 502, URL: mail.fabrikam.com:443
ProtocolVersion: HTTP/1.1
StatusCode: 502, Bad gateway
Reason: Proxy Error ( The ISA Server denied the specified Uniform Resource Locator (URL). )
Via: 1.1 ISACONTN2
Connection: close
ProxyConnection: close
Pragma: no-cache
Cache-Control: no-cache
+ ContentType: text/html
ContentLength: 666
HeaderEnd: CRLF
+ payload: HttpContentType = text/html

4. The error below appears in the client workstation:


Figure 9 – Default message for 502 error.

The good thing about this approach is that if you don’t like this error message that client will receive, you still can customize it by using the guidelines from the article below:
http://technet.microsoft.com/en-us/library/bb794832.aspx

Author
Yuri Diogenes
Sr Security Support Escalation Engineer
Microsoft CSS Forefront Edge Team

Technical Reviewers
Vic Singh Shahid
Escalation Engineer
Microsoft CSS Forefront Edge Team

Michael Van Dao
Sr Support Escalation Engineer
Microsoft DSI IE Core Team




موضوعات مشابه: