ISA Clients, "502 Proxy Error. The HTTP request includes a non-supported header

Has MS released a fix yet? I called MS and the Support person needed a KB #
to give it to me, and it has to be 6 Numbers

"Jim Harrison (MSFT)" wrote:

> ** ACTION **
> 1. Call PSS
> 2. Tell them I sent you
> 3. Ask for the fix for ISA SE 34978
>
> ** NOTE **
> This fix is still undergoing internal testing. If you are not willing to participate in this hotfix testing, then please wait for
> the official fix.
>
> ** DISCUSSION (kinda involved, so you can skip it if you like) **
> ISA responds to a request with "Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA
> Server administrator. (12156)".
> The likely reason for the behavior you're seeing in this case is that new logic that was added in ISA 2004 SP2 to mitigate HTTP
> request smuggling. The process for this attack is a bit involved and a whitepaper on the subject is available here:
> https://www.watchfire.com/securearea/whitepapers.aspx
>
> RFC-2616 defines two headers; "content-length" and "transfer-encoding: chunked" for the same purpose; that of providing quantitative
> content validation for the receiver and states *very clearly* that the server MUST NOT combine them in the same response. If the
> server is configured such that it does violate this edict, RFC-2616 then requires the receiving entity to ignore the content-length
> value and instead use the chunked-encoding technique to validate the length of the HTTP body. This places a processing burden on the
> receiving entity (ISA, in this case), since a chunked-encoded transfer can't be quantitatively validated until the transfer is
> completed. In the case of a proxy, additional processing is imposed due to caching behavior that may be dependent on content-size.
>
> The reason those sites are either failing outright (www.delta.com) or rendering poorly (www.sun.com) is because we chose to reject
> those responses entirely. Since RFC-2616 clearly states "don't combine those headers" and doing so is a demonstrably malicious act,
> it seemed unlikely that ISA would cause problems for any other than malicious sites, and in fact, our testing validated this belief.
> As it turns out, there are quite a few legitimate sites out there that violate this part of RFC-2616 and so we have had to rethink
> our answer to this problem.
> --
> --
> Jim Harrison [ISA SE]
> Read the help, books and articles!
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>

ou can call PSS and ask for the fix for KB 915045.
The KB isn't published yet, but this is the number PSS needs to access the public fix.
You must either open a case with them or wait for it so appear on MU (ASAP).

This package fixes the following issues introduced in ISA 2004 Service Pack 2:
"502 Proxy Error. The HTTP Request includes a non-supported header." (www.delta.com)
"500 Internal Server Error; Not implemented (-2147467263)" (OWA zip files)
"The server supplied a compressed response although ISA Server did not request compression" (iTunes)

-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.

"SP2 Troubles" <SP2 XXXX@XXXXX.COM > wrote in message news: XXXX@XXXXX.COM ...
Has MS released a fix yet? I called MS and the Support person needed a KB #
to give it to me, and it has to be 6 Numbers

"Jim Harrison (MSFT)" wrote:

i Jim, i'm having the same problem. Who are PSS?

Thanks in advance.


Jim Harrison (MSFT) wrote:

roduct Support Services


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"robster007" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...
the public fix.
(ASAP).
Pack 2:
(www.delta.com)
files)
request compression" (iTunes)
rights.
news: XXXX@XXXXX.COM ...
KB #
to participate in this hotfix testing, then please wait for
request includes a non-supported header. Contact your ISA
new logic that was added in ISA 2004 SP2 to mitigate HTTP
whitepaper on the subject is available here:
chunked" for the same purpose; that of providing
server MUST NOT combine them in the same response. If the
then requires the receiving entity to ignore the
length of the HTTP body. This places a processing burden on
can't be quantitatively validated until the transfer is
due to caching behavior that may be dependent on content-size.
rendering poorly (www.sun.com) is because we chose to reject
those headers" and doing so is a demonstrably malicious
malicious sites, and in fact, our testing validated this
violate this part of RFC-2616 and so we have had to rethink
rights.

They are saying they know nothing about it and can pull no information
from the KB number at all!

Please email me your case # to XXXX@XXXXX.COM .

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.


They are saying they know nothing about it and can pull no information
from the KB number at all!

Thanks Jim, I eventually got through to the right people and they gave
me the replacement dll.

Isn't this patch going to be publicly available without having to call
someone?

It shouldn't be in the form of a patch anyway,..it should be a replacement
SP. It doesn't make sense to be able to easily download a SP that isn't any
good without the patch that you have to call someone for to get before you
can use the SP. SP2 should just be pulled an no longer available, the
problems with it are "show stoppers", and replace it with a "fixed" SP
called SP2a

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------






rights.

It'll be available in MU soon.

Think about these before you choose between SP and HF release vehicles:
- SP pre-release testing takes *months* at least
- HF pre-release testing takes *days* at most
- SP delivery mechanisms are complicated enough without adding "release A, B, etc."
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.


Isn't this patch going to be publicly available without having to call
someone?

It shouldn't be in the form of a patch anyway,..it should be a replacement
SP. It doesn't make sense to be able to easily download a SP that isn't any
good without the patch that you have to call someone for to get before you
can use the SP. SP2 should just be pulled an no longer available, the
problems with it are "show stoppers", and replace it with a "fixed" SP
called SP2a

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
-----------------------------------------------------






rights.

B, etc."

It worked ok for NT4 SP6a and distribution & awareness was more difficult
back then. It is also very complicated from the comsumer side to first get
an SP and then have to get all the patches to fix the SP that they may not
even know about until after they get "hit" by the problems in the SP. If
SP2a is the only thing "out there" it isn't very complicated. Now I don't
expect that be done for every little tiny flaw that an SP might have, but
these couple things involved in this case are pretty big issues and at least
in my opinion are show-stoppers for even bothering with the SP2 to start
with.

In the end I guess I really don't expect anyone to listen to me anyway, but
this whole "SP2 thing" has really got me ticked off,..problems that big with
it shouldn't have gotten released. Then there is that "direct access" issue
I mentioned in another post that has not had one comment on it and it
doesn't appear from that link that anyone is even concerned about correcting
it. The only comment to that within the article itself was given by Tom
Shinder asking "are they going to fix it?" I think this one was the final
straw for my patients concerning SP2.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

For what it's worth I think I agree with Jim on this one... the patch needed
to be released as a hotfix rather than as a "SP2a" if we were to get a
timely resolution at all. Let's not forget that everything was very
different back then in NT4 times... Windows did not have the widespread
adoption of today... and I believe there was even a significant delay
between SP6 and SP6a.

I'm all in favor of hotfixes as long as they
1) solve the issue without introducing more problems
2) provide timely responses
3) are properly documented and supported.

That being said... bring them on Jim... we're all eagerly waiting for the
public KB# and hotfix.

Virgil

The thing to remember is that the "non-supported header" and "not implemented" problems you're seeing are not because we have a bug,
but because the web server is violating RFC-2616.
It would seem that there are fewer folks reading the relevant RFC's than we suspected...

In each case, we took the safe road and rejected these responses. Unfortunately, these decisions we took to make your web surfing
safer resulted in a plethora of broken legitimate sites. This hardly warrants re-issuing a whole service pack when the solutions
are *very* narrowly targeted.

--
--
Jim Harrison [ISA SE]
Read the help, books and articles!

This posting is provided "AS IS" with no warranties, and confers no rights.




B, etc."

It worked ok for NT4 SP6a and distribution & awareness was more difficult
back then. It is also very complicated from the comsumer side to first get
an SP and then have to get all the patches to fix the SP that they may not
even know about until after they get "hit" by the problems in the SP. If
SP2a is the only thing "out there" it isn't very complicated. Now I don't
expect that be done for every little tiny flaw that an SP might have, but
these couple things involved in this case are pretty big issues and at least
in my opinion are show-stoppers for even bothering with the SP2 to start
with.

In the end I guess I really don't expect anyone to listen to me anyway, but
this whole "SP2 thing" has really got me ticked off,..problems that big with
it shouldn't have gotten released. Then there is that "direct access" issue
I mentioned in another post that has not had one comment on it and it
doesn't appear from that link that anyone is even concerned about correcting
it. The only comment to that within the article itself was given by Tom
Shinder asking "are they going to fix it?" I think this one was the final
straw for my patients concerning SP2.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

ISA SP2 is also violating the same RFC I seem to recall ;-)

I do understand about not completely re-releasing the SP though, NT4 SP6 was
a special case and was totally broken, however I'd say that enough people
are being affected by this ISA SP2 issue to warrent releasing the fix for
direct download and probably on WSUS too, rather than everyone and their dog
having to go through the pain of ringing up PSS for it?

Peter Lawton

implemented" problems you're seeing are not because we have a bug,

Well the RFC if I recall said the appropriate response was the ignore the
second header item and not drop the whole connection. So both the webserver
and ISA were each running contrary to the RFC's but in different ways.

I'm not that bothered by the other issue, the compression issue, since that
is easily turned off and no functionality is really lost from what we had
with just SP1. It think the direct access behavor change, which seems
hardly mentioned, is one thing that has me the most bothered at the moment.
There was already enough confusion and hassles involving that subject and
now it is even worse.

But I've slept since the last post,...I don't think I'm quite as "excited"
about it today.. :-)


--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

dog

I suppose that would be a good enough compromise for me,...assuming of
course they are confident enough that the patch won't have other bad
side-effects. And there should be a big red flashing sign screaming at them
on the page where the SP2 is downloaded from so that everyone getting the
SP2 will know about it,..in fact they should both be right there together on
the same page.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com