Microsoft KB Archive/917051

= The Web Proxy Filter in ISA Server 2004 may log requests with an incorrect access rule when you use overlapped HTTP protocols =

Article ID: 917051

Article Last Modified on 12/4/2007

-

APPLIES TO

 Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 2, when used with:  Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition

 Microsoft Internet Security and Acceleration Server 2004 Standard Edition  Microsoft Internet Security and Acceleration Server 2004 Service Pack 1, when used with:  Microsoft Internet Security and Acceleration Server 2004 Standard Edition </li> Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition</li> Microsoft Internet Security and Acceleration Server 2004 Standard Edition</li></ul>

-

<div class="notice_section">

<div class="symptoms_section">

SYMPTOMS
When you use overlapped HTTP protocols on a Microsoft Internet Security and Acceleration (ISA) Server 2004 computer, you may find that the Web Proxy Filter logs requests that have incorrect references. For example, the Web Proxy Filter may log requests that have references to the default access rule instead of to the access rule that is configured to enable HTTP protocols.

Note When you use overlapped HTTP protocols in ISA Server 2004 Enterprise Edition-based computers, the requests that are logged may have references to the Enterprise default rule.

<div class="cause_section">

CAUSE
This problem may occur because the Web Proxy Filter in ISA Server 2004 incorrectly sets the logging field to the last rule that is processed. This typically occurs when multiple definitions exist for the same port.

<div class="resolution_section">

RESOLUTION
A fix is available for computers that are running ISA Server 2004 Service Pack 2 (SP2). To resolve this problem, install the hotfix that is described in the following Microsoft Knowledge Base article:

916106 Update for HTTP issues in Internet Security and Acceleration Server 2004 Service Pack 2

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
Overlapped HTTP protocols are used when you have to prevent the Web Proxy Filter from intercepting the Web traffic. This configuration may be required when non-standard HTTP traffic uses TCP port 80. If you use the standard HTTP protocol, the traffic may be denied if it does not comply with the RFC standard.

To enable non-standard HTTP traffic in this scenario, the custom HTTP definition must not be bound to the Web Proxy Filter.

To use overlapped HTTP protocols, you must deny the HTTP protocol for sites where a custom HTTP protocol is used. This is to make sure that ISA Server 2004 chooses the correct protocol.

For example, if a virtual private network (VPN) client has to use the custom HTTP protocol to connect to an internal server, the rule that enables the custom HTTP protocol must have a higher priority than the rule that enables the standard HTTP protocol. You must also configure a rule to deny the standard HTTP protocol to the internal server to make sure that the custom HTTP protocol is used.

The following table lists the rules that have to be configured to enable traffic in this scenario:

Note
 * The third rule is configured to enable HTTP to other sites.
 * The second rule prevents any other rule from starting the Web Proxy Filter for traffic that matches the first rule.

This rule is necessary because of the way that ISA Server 2004 processes traffic that is sent to certain ports. When traffic arrives at a port that is associated with overlapped protocols, ISA Server 2004 finds the first policy rule that matches the traffic for each overlapped protocol. ISA Server 2004 applies the rule that is highest in the list. Typically, the first rule with the CustomHTTP protocol is highest in the list. This rule allows traffic to the non-standard HTTP server. However, this rule does not start the Web Proxy Filter. Also, all the rules for the overlapped protocols in the ordered list of rules are processed, the secondary connections for the overlapped protocols are added to the session, and the application filters that are associated with the overlapped protocols are started until an access rule that denies traffic is encountered. Typically, the second rule stops this processing, because the second rule is a deny rule. Without the second rule, the third rule is processed for traffic that matches the first rule, and the Web Proxy Filter starts. If the Web Proxy Filter is started by the third rule, the Web Proxy Filter discovers that the traffic does not comply with HTTP standards. Then the Web Proxy Filter blocks the traffic and adds an entry to the Web Proxy log. The entry indicates that the &quot;Allow HTTP to other sites&quot; rule blocked the traffic.

Keywords: kbbug kbqfe kbprb KB917051

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.