Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Stopping people from being able to download?
- Thread starter WilliamUT
- Start date
The problem is that in ISA Server a bug is still there and a fix should published hte next month. You can not (at the moment) filter both Mime content AND files extensions.
I paste below an internal Microsoft article:
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2000 (Version: 2000)
-------------------------------------------------------------------------------
SYMPTOMS
========
When using Content Types ("HTTP Content"
on Site and Content Rules to block/allow for downloading specific files (e.g. .exe) ISA
Server does not block/allow the request if you only have the file extension
(e.g. .exe) configured in the appropiate Content Goup.
The problem
described above will not occur if you have included the content type which is
appropiate for the extension you want to block/allow in the appropiate Content
Group. (e.g. .application/octet-stream for .exe ). But however in this case you
can run into issues raised in 319073.
The problem described above
only occurs when doing outgoing HTTP request through ISA Server.
CAUSE
=====
This is bcause ISA Server isn't able to block/allow http
requests based on file extensions.
It can only block/allow based on the
Content Type of the HTTP response.
RESOLUTION
==========
A supported fix is now available from Microsoft, but it is only
intended to correct the problem that is described in this article. Apply it
only to computers that are experiencing this specific problem. This fix may
receive additional testing. Therefore, if you are not severely affected by this
problem, Microsoft recommends that you wait for the next Internet Security and
Acceleration Server 2000 service pack that contains this fix.
To
resolve this problem immediately, contact Microsoft Product Support Services to
obtain the fix. For a complete list of Microsoft Product Support Services phone
numbers and information about support costs, visit the following Microsoft Web
site:
<NOTE: In special cases, charges that are ordinarily incurred for
support calls may be canceled if a Microsoft Support Professional determines
that a specific update will resolve your problem. The typical support costs
will apply to additional support questions and issues that do not qualify for
the specific update in question.
The English version of
this fix has the file attributes (or later) that are listed in the following
table. The dates and times for these files are listed in coordinated universal
time (UTC). When you view the file information, it is converted to local time.
To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name
--------------------------------------------------
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
This hotfix
provides the ability to control whether ISA Server should block/allow based on
file extension or based on Content Type.
If you want ISA Server to
block only based on File Extension add the follwing Registry
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\CheckOnlyFileExtensionAsContentType
: DWORD : 1
If you want ISA Server to block only based on Content
Type add the follwing Registry
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\CheckOnlyFileExtensionAsContentType
: DWORD : 0
- To receive the hotfix, customers must be experiencing the bug as
described in the "Symptoms" section.
- You must track the customers you send this to and supply them with
the next service pack when it becomes available (if a service pack is
released).
This is scheduled to be included with ISA Service Pack
2.
STATUS
======
Microsoft has confirmed that this is a problem in Microsoft
Internet Security and Acceleration Server 2000.
MORE INFORMATION
================
After applying the Hotfix and set the <CheckOnlyFileExtensionAsContentType = 1> you may notify some users are denied on HTTP requests to URLs
where actually you don't want requests to be blocked. This behavior didn't
occur before applying the Hotfix.
This is because after applying the
Hotfix ISA denies all requests to the file extensions you have configued in
Site and Content Rule independent if the response is a download of the file or
if it is ordinary http content. (e.g. CGI extensions).
If you notify this
issue you can exclude URLs from being denied by adding these URLs as exception
to the Site and Content Rules where you have defined the Content to be blocked.
Example:
Asume you have the follwing Site and Content Rule for
blocking .exe extensions:
Site and Content Rule Name : Block exe
Enabled : True Rule
Applies to : All Destinations
Access to the
specified destinations : Denied
Rule Applies to : Any Request
Rule
Applies to : Selected Content Groups
Content Groups Selected : exe file
extension ,
Requests to < are denied
because of the Rule, but you don't want this request to be blocked, because
this is not responding with binary stream of the file (download) rather than
responfing with ordinary text/html since this is a cgi extension generating the
content.
To exclude this URL from being blocked please go through the
follwing steps:
1. Open ISA Server MMC.
2. Select Policy Elements.
3. Select Destination Sets.
4. Right Click on Destination Sets and add a new Destination Set (lets
call it <exeption>) .
5. Add the < as Destination to this new Destination Set.
6. Go to Access Rules.
7. Select Site and Content Rules.
8. Open the blocking .exe extensions: Site and Content Rule and go to
Destinations.
9. Under This Rule applies toselect All Destinations exept Selected Set
.
10. Select the Destination Set you have created before (<exeption>).
I paste below an internal Microsoft article:
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2000 (Version: 2000)
-------------------------------------------------------------------------------
SYMPTOMS
========
When using Content Types ("HTTP Content"
on Site and Content Rules to block/allow for downloading specific files (e.g. .exe) ISAServer does not block/allow the request if you only have the file extension
(e.g. .exe) configured in the appropiate Content Goup.
The problem
described above will not occur if you have included the content type which is
appropiate for the extension you want to block/allow in the appropiate Content
Group. (e.g. .application/octet-stream for .exe ). But however in this case you
can run into issues raised in 319073.
The problem described above
only occurs when doing outgoing HTTP request through ISA Server.
CAUSE
=====
This is bcause ISA Server isn't able to block/allow http
requests based on file extensions.
It can only block/allow based on the
Content Type of the HTTP response.
RESOLUTION
==========
A supported fix is now available from Microsoft, but it is only
intended to correct the problem that is described in this article. Apply it
only to computers that are experiencing this specific problem. This fix may
receive additional testing. Therefore, if you are not severely affected by this
problem, Microsoft recommends that you wait for the next Internet Security and
Acceleration Server 2000 service pack that contains this fix.
To
resolve this problem immediately, contact Microsoft Product Support Services to
obtain the fix. For a complete list of Microsoft Product Support Services phone
numbers and information about support costs, visit the following Microsoft Web
site:
<NOTE: In special cases, charges that are ordinarily incurred for
support calls may be canceled if a Microsoft Support Professional determines
that a specific update will resolve your problem. The typical support costs
will apply to additional support questions and issues that do not qualify for
the specific update in question.
The English version of
this fix has the file attributes (or later) that are listed in the following
table. The dates and times for these files are listed in coordinated universal
time (UTC). When you view the file information, it is converted to local time.
To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name
--------------------------------------------------
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
This hotfix
provides the ability to control whether ISA Server should block/allow based on
file extension or based on Content Type.
If you want ISA Server to
block only based on File Extension add the follwing Registry
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\CheckOnlyFileExtensionAsContentType
: DWORD : 1
If you want ISA Server to block only based on Content
Type add the follwing Registry
Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\CheckOnlyFileExtensionAsContentType
: DWORD : 0
- To receive the hotfix, customers must be experiencing the bug as
described in the "Symptoms" section.
- You must track the customers you send this to and supply them with
the next service pack when it becomes available (if a service pack is
released).
This is scheduled to be included with ISA Service Pack
2.
STATUS
======
Microsoft has confirmed that this is a problem in Microsoft
Internet Security and Acceleration Server 2000.
MORE INFORMATION
================
After applying the Hotfix and set the <CheckOnlyFileExtensionAsContentType = 1> you may notify some users are denied on HTTP requests to URLs
where actually you don't want requests to be blocked. This behavior didn't
occur before applying the Hotfix.
This is because after applying the
Hotfix ISA denies all requests to the file extensions you have configued in
Site and Content Rule independent if the response is a download of the file or
if it is ordinary http content. (e.g. CGI extensions).
If you notify this
issue you can exclude URLs from being denied by adding these URLs as exception
to the Site and Content Rules where you have defined the Content to be blocked.
Example:
Asume you have the follwing Site and Content Rule for
blocking .exe extensions:
Site and Content Rule Name : Block exe
Enabled : True Rule
Applies to : All Destinations
Access to the
specified destinations : Denied
Rule Applies to : Any Request
Rule
Applies to : Selected Content Groups
Content Groups Selected : exe file
extension ,
Requests to < are denied
because of the Rule, but you don't want this request to be blocked, because
this is not responding with binary stream of the file (download) rather than
responfing with ordinary text/html since this is a cgi extension generating the
content.
To exclude this URL from being blocked please go through the
follwing steps:
1. Open ISA Server MMC.
2. Select Policy Elements.
3. Select Destination Sets.
4. Right Click on Destination Sets and add a new Destination Set (lets
call it <exeption>) .
5. Add the < as Destination to this new Destination Set.
6. Go to Access Rules.
7. Select Site and Content Rules.
8. Open the blocking .exe extensions: Site and Content Rule and go to
Destinations.
9. Under This Rule applies toselect All Destinations exept Selected Set
.
10. Select the Destination Set you have created before (<exeption>).
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question