Microsoft KB Archive/813864

= FIX: Site and Content Rules Do Not Filter Based on File Name Extensions =

Article ID: 813864

Article Last Modified on 6/14/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1

-



SYMPTOMS
When you use Content Types (HTTP Content) in Site and Content Rules to deny or allow requests for downloading specific files (for example, .exe files), ISA Server does not deny or allow the request if you only have the file name extension (for example, .exe) configured in the appropriate Content Group.

This problem occurs only when you serve outgoing HTTP request through ISA Server.

This problem does not occur if you include the content type that is appropriate for the file name extension that you want to block or allow in the correct Content Group (for example, .application/octet-stream for the .exe file name extension). However, if you do this, you may experience other problems. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

319073 Web Pages May Not Display Correctly When You Deny the Application/Octet-Stream Content Type

(For more information about how to set the Content Type, see the &quot;More Information&quot; section of this article.)



CAUSE
The behavior occurs because ISA Server cannot deny or allow http requests based on file name extensions, regardless of whether you have configured this setting in HTTP Content of the appropriate Site and Content Rule.



RESOLUTION
To resolve this problem, obtain the Update Rollup for ISA Server Services. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

810493 INFO: Update Rollup for ISA Server Services

Hotfix Information
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

After you apply this hotfix, you can control whether ISA Server blocks or allows requests based on file name extension or based on Content Type:  If you want ISA Server to block requests based only on the file name extension, add the following registry key:

 If you want ISA Server to block requests based only on Content Type, add the following registry key:



Note If you receive authentication prompts after you install this hotfix and add the correct registry entries, apply the registry change that appears in the following article in the Microsoft Knowledge Base:

297324 Multiple Authentication Dialog Boxes Are Displayed When You Use Access Control



MORE INFORMATION
After you apply the hotfix and you set the  registry value, you may notice that HTTP requests from some users are denied to URLs where you do not want to block requests. This behavior did not occur before you applied the hotfix.

This problem occurs because ISA Server denies all requests to the file name extensions that you have configured in the Site and Content Rules, regardless of whether the response is a file download (Binary Stream) or http content.

If you notice this issue, you can exclude URLs from being denied. Add these URLs as exceptions to the Site and Content Rules where you have defined the Content to be blocked. For example, assume that you have the following Site and Content Rule for blocking .exe file name extensions:

Site and Content Rule Name: Block exe

Enabled: True Rule

Applies to: All Destinations

Access to the specified destinations: Denied

Rule Applies to: Any Request

Rule Applies to: Selected Content Groups

Content Groups Selected: exe file extension

Requests to http://www.northwindtraders.com/example.exe are denied because this rule blocks them. However, you do not want these requests to be blocked because the response to these requests is not the binary stream of the file (download). The response is ordinary text/html because this is a .cgi file that generates http content.

To exclude this URL from being blocked, follow these steps:
 * 1) Open the ISA Server MMC.
 * 2) Click Policy Elements.
 * 3) Click Destination Sets.
 * 4) Right-click Destination Sets, and then add a new Destination Set named exception.
 * 5) Type www.northwindtraders.com for the Destination of this new destination set.
 * 6) Click Access Rules.
 * 7) Click Site and Content Rules.
 * 8) Open the blocking .exe extensions Site and Content Rule, and then click Destinations.
 * 9) Under This Rule applies to, click All Destinations except Selected Set.
 * 10) Click the exception destination set that you created in step 4.

Keywords: kbhotfixserver kbqfe kbqfe kbisaserv2000presp2fix kbfix kbbug KB813864

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.