Microsoft KB Archive/924373

= Link translation causes an endless loop when you use Web servers that redirect HTTP requests as HTTPS requests in ISA Server 2006 =

Article ID: 924373

Article Last Modified on 10/20/2006

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2006 Standard Edition

-



SYMPTOMS
Consider the following scenario:
 * You have a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2006 in a split DNS infrastructure.
 * You have a Web server that automatically redirects HTTP requests to Secure Socket Layer (SSL) requests.
 * You create a Web publishing rule for the Web server that redirects HTTP requests to HTTPS.
 * You use one of the following configurations:
 * You configure the Web listener to listen for HTTP requests and also to use bridging.
 * You configure the Web listener and the bridging for both HTTP and for SSL requests (HTTPS).

In this scenario, when the Web server receives an HTTP request, it redirects the request to the ISA server as an SSL request (HTTPS). For example,  is redirected to.

Then, the ISA server translates SSL requests to HTTP requests and redirects it to the Web server. This causes an endless loop.



WORKAROUND
To work around this issue, use one of the following methods, as appropriate for your situation.

Method 1
Use the new feature that is included with ISA Server 2006 to redirect HTTP to HTTPS. To do this, follow these steps:
 * 1) Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
 * 2) Expand Microsoft Internet Security and Acceleration Server 2006, expand , and then click Firewall Policy.

Note For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand, and then click Firewall Policy.
 * 1) On the Toolbox tab, click Network Objects, expand Web Listeners, right-click the Web listener, and then click Properties.
 * 2) Select Enable HTTP connections on port, and then confirm that the listening port for HTTP is 80. Confirm that Enable SSL (HTTPS) connections on port is selected and is listening on port 443.
 * 3) Select Redirect all traffic from HTTP to HTTPS.
 * 4) Click OK, and then click Apply to save the changes and to update the configuration.

Method 2
Add explicit mappings to the link translation dictionary. These explicit mappings will avoid an endless loop that is created when ISA server translates SSL requests to HTTP requests and redirects them to the Web server.

For example, add an explicit &quot;do nothing&quot; string mapping such as  to. The unwanted translation that causes the endless loop is overridden by this &quot;do nothing&quot; mapping. To do this, follow these steps:
 * 1) Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
 * 2) Expand Microsoft Internet Security and Acceleration Server 2006, expand , and then click Firewall Policy.
 * 3) In the details pane, click the applicable Web publishing rule.
 * 4) On the Tasks tab, click Edit Selected Rule.
 * 5) On the Link Translation tab, click Configure, and then click Add.
 * 6) In the Replace this text box, type the explicit string that you want to add to the link translation dictionary. For example, type https://www.contoso.com.
 * 7) In the With this text box, type the same string that you added in step 6. For example, type https://www.contoso.com again.

Note When you type the same string in the Replace this text box and the With this text box, the ISA server does not translate SSL requests to HTTP requests for that string entry.
 * 1) Click OK two times.
 * 2) Click Apply, and then click OK.



MORE INFORMATION
For more information about ISA Server 2006, visit the following Microsoft Web site:

http://www.microsoft.com/technet/isa/2006/default.mspx

Keywords: kbtshoot kbprb KB924373

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.