The fix turnd out to be quick and easy:

In the IAG  configuration app, in the URL filter change InternalSite_Rule28 to Ignore and replace InternalSite_Rule29 URL to /internalsite/com/whale/sslvpnclient/whalesslvpnclient/class.class

Getting to this was a hour of head scratch, searching and playing. This is my journey to that two second fix.

I fired up the IAG Web monitor and noticed these errors:

Severity     ID       Type
Warning   55     Parameters not Allowed with URL Security portal (S)

Request failed, URL is not allowed to contain parameters.

Trunk: portal; Secure=1;

Application Name: Whale Internal Site; Application Type: InternalSite; Source IP: x.x.x.x; Method: GET; URL: /InternalSite/applet/sslvpnclient.jar?version-id=3.7.0.14.

Severity     ID       Type

Warning     67     URL Path not Allowed Security csrportal (S) Request failed, the URL contains an illegal path.

Trunk: portal; Secure=1;

Application Name: Whale Internal Site; Application Type: InternalSite; Rule: Default rule; Source IP: x.x.x.x; Method: GET; URL: /InternalSite/com/whale/sslvpnclient/whalesslvpnclient/class.class.

I knew I  had not changed on the rules or configuration.

Clicking on the first error of ID 67  popped up this:

Warning #67: URL Path not Allowed

Symptoms

A remote user requests a page. The request is denied, and the following message is displayed in the browser window: “You have attempted to access a restricted URL. The URL you are trying to access contains an illegal path.”

Cause

The path of the requested URL was rejected by the URL Inspection engine.

Resolution

Take the following steps in the Configuration program:

1. Open the Advanced Trunk Configuration window, and select the URL Set tab.

2. Do one of the following, depending on the rule that caused the failure, as specified in the “Description” filed of the message:

• If the rule that caused the failure is “Default rule”, use the URL List to add a new rule, or edit one of the existing rules, so that the requested URL is allowed.

• If the failure was caused by an existing rule, and the name of the rule is specified in the message’s “Description” field, access the rule in the URL List. In the “URL” column, edit the path of the URL.

Cracking open the IAG configuration tool and searching the URL List I  found InternalSite_Rule29 was very slightly different to the one in the failed error. I swapped it from

/InternalSite/com/whale/sslvpnclient/whalesslvpnclient.class

to

/internalsite/com/whale/sslvpnclient/whalesslvpnclient/class.class

Saved the configuration and tried the Java app again. Still failed.

After a bit of head scratching I found this post from the excellent www.forefrontsecurity.org

InternalSite_Rule28 (/internalsite/applet/(sslvpnclient|detectjava|microsoftclient|oesislocal|runtimeelevator|agent_win_helper|agent_mac_helper|agent_lin_helper)\.jar)
changed Parameters value Reject to: Ignore

Basically this stops the checking on the detection agents and allows the Java applet to do it job.

Another Hum Ho moment.

Overview: Create a URL set of all sites and block them.

In this case I want to stop users being re-directed to the malware sites of the day. The sites I want to blocked are taken from the Internet Storm Center story on Internet Explorer Zero-day here

A quick way to do this:

1)      Create a URL set call Malware – Blocked Sites and add in one URL i.e. www.badtest.com to blocked sites

2)      Export the URL Set to a XML file Blocked.xml.

3)      Dump the list of bad web sites in to a table or excel.

4)      Pop  <fpc4:Str dt:dt=”string”> and </fpc4:Str> around each URL
i.e. <fpc4:Str dt:dt=”string”>http://Badsite.bad.com</fpc4:Str>

5)      Open Blocked.xml in a text editor, such as notepad.

6)      Copy all of the edited entries in to the exported URL sites under the place holder URL www.badtest.com, that’s under <fpc4:URLStrings>, and save the file.

7)      Import the Blocked.xml in to the URL set: Malware – Blocked Sites.

8)      All the sites are now listed in alphabetical order in the URL set.

9)      Create a deny rule for all protocols from Internal to Malware – Blocked Sites URL set.

10)   Press the Apply button.

This will block and log access to those malicious/dangerous web sites.

For reasons only known to myself, I’ve stupidly decided to kick off the final two MCITP: Enterprise exams starting with 70-649.

Ah, nothing like making bets, attempting to get a bit of competition going, that you can get certified before the rest of the team.

In front the Boss. (He’s a hockey playing, beer drinking, Northern ninja for randomly appearing like that!)

Pure Muppet magic on my part! Meep.

Hum ho.

Why the Enterprise rather than the long winded 70-647 update exam first? After skimming the objectives, it looks less work and studying for 749 will help out with 647 at a guess.

Check List:

Study guide:                                         Ms Press Self paced 70-647 Training kit

Hands on:                                              Build a virtual lab on Windows 2008 and use the Ms Virtual Labs

Pick a date to get this done by:    Monday 23rd of March 2009

Better get on with it then.

So, kick off by designing and build and small self contained Windows 2008 domain. This is all built on a physical machine, running Windows 2008 Server x64 with 8GB of RAM, lots of hard disk space and a couple of NICs. Hyper-V is installed.

I’ve added three additional networks in the Virtual Network Manger: Domain_Internal, DMZ and Hyper-V_External. Hyper-V_External is connected to the router for direct Internet access.

I’ve build, installed the Integration tools and patched (32updates and 159mb later) one VM, then cloned it (done by copying it to a new location, starting it up and running newsid) to speed things up and save download bandwidth. I should have used Windows Deployment Services (WDS), but I get around to that later.

The master network plan is below

This isn’t information leakage and I haven’t forgotten to add IPv6 addresses in, just a basic network diagram!

So once everything has finished installing, on with setting it up.

Now to start going through the notes and playing!

Notes Part 1

Worth a read if you have OCS and need the outside world to connect up to it

http://technet.microsoft.com/en-us/magazine/dd440949.aspx

When attempting to access the web site number two the web page displayed:

Bad Request (Invalid Hostname) – 400 Error

The web sites still worked internally and the ISA could resolve the server host headers and browse the sites. The rule looked good, pointed to the right location had the right ports open.

Turned on logging and watched for access to the site. No hits. Muck around checking event logs, restarting the firewall services and tweaking the rule. No joy.

Got a pencil and paper out and went through my deployment notes, ticking off each step. Got the web listener for site two and immediately found the problem. I had done a copy and paste of the rule and web listener and hadn’t changed the IP address of the second web listener to it new address. It was still using the first listener IP.

Added the correct IP address and everything worked as expected.

Meep

More specifically, one of the security systems I manage gets blamed, but I cop the flack for it. Moaning at an inanimate firewall doesn’t elicit the sheer pleasure of ranting a human being, or me, it appears.

Anyway, over the weekend a financial web site had stopped working and they wanted it to work. It was throwing up authentication errors in a Java Applet screen they never seen before. The Web company’s helpdesk said nothing had changed, so it had to be our problem, or my problem, as normal. Since nothing changed on the network, client machines or firewall rule sets (gotta love change management) and I had a screen shot of the error with times of the problems, I called up the ISA logs, and filtered on the url of the site.

The screen shots filled me with apprehension, as the web site had a big ugly Java error and the pages were .jhtml and it was all running over SSL. After a chat with the staff member, he said the site looked like it had an update.

I’ve had problems before with Java programmers doing dubious things over http and the ISA correctly dropping the traffic, so wasn’t looking forward to getting in to a fight with a big financial web company over coding.

The ISA filter displayed a whole heap of these errors when connecting to the site:

Status: 995 The I/O operation has been aborted because of either a thread exit or an application request

Now this doesn’t tell you much, so after a quick bit of browsing the web I found a reply from Jim Harrison to someone with similar issues

“This is expected even for normal termination of SSL Tunnel traffic.

ISA can’t follow the HTTP conversation within the SSL session and so the session closure is always a surprise.

It does not indicate an error in ISA."

I trust Jim’s advice implicitly, and was sure it was the lovely web company’s fault, but his reply didn’t help nail what was wrong and SSL won’t let me analyse the traffic.

Help came from an unexpected source when the staffer mention he could access the web site at home, after taking a very long time to load to first time.

Did anything else happen while you accessed the site, like some piece of software update? I enquired.

It appears that his machine downloaded the latest version of Java first. Hmm, to the test lab machines!

I fired up a test machine, broke company standard build policy, ripped out the current package version of Java and installed the latest and greatest straight from the web site. This promptly broke the machine. I grabbed the next test machine and attempted to update Java. That broke it too. The third machine, a totally non-standard machine, installed Java without issues and could “magically” accessed the site. No need to touch the ISA rules.

Grinning like a Cheshire cat I promptly handed over the mess of updating everyones Java client to the packaging team with a couple of notes on how it had destroyed two perfectly good machines for no apparent reason.

Take away: if you see status message 995 being logged on ISA, a web app stops working and the site is Java based, then check the Java client and ask what version you should be using to access the site first.

Put money on it that the third party will say “Install at minimum version X”, which won’t be the version you’re running.

Jim Harrison is a very active Ms guy in the ISA world and it’s well worth watch his walk through of what to do. Enoy!

No-go SP3 update!

Was a bit confused and the logs held no useful information, then as a side I though I’d check the uptime of these boxes.

The servers hadn’t been rebooted in over 458 days and they were still performing fine!

A quick reboot of the two machines and the service pack installed with out further issues.

Next problem the Application log started to fill up with:

Event Type:     Warning
Event Source:   Microsoft ISA Server Web Proxy
Event Category: None
Event ID:       14141
Date:           14/09/2008
Time:           10:28:10 AM
User:           N/A
Computer:       WNDMZIA09
Description:
ISA Server detected a proxy chain loop. There is a problem with the configuration of the ISA Server routing policy.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
There’s a helpful piece from MS on solving this normally here but I wanted a fast, simply way to find the root of the problem.  knew that the network options and routing had been set correctly and did a check that nothing else was attempting to hog either port 80 or 8080 with the ol’ netstat command:
c:\>netstat -aon | find “:8080″
producing: TCP    0.0.0.0:8080 0.0.0.0:0  LISTENING       452

c:\>tasklist /svc | find “452″
resulting in: wspsrv.exe                     452 fwsrv (which is the ISA firewall service- that good )

So went in to the ISA monitoring tab, setting the logging to find HTTP status Code equal 12206.

This shows all the error messages for: 12206 The ISA Server detected a proxy chain loop. There is a problem with the configuration of the ISA Server routing policy. Please contact your server administrator.

It showed me the rule and client details to actually see where and what the problem was. In this case some client machines were trying to contact a decommissioned server on a decommissioned ip address space. The ISA’s were the default path for all unknown networks, so the traffic would end up there. The ISA didn’t know what to do with the trafic and thus generated the 14141 errors in the Apps log. A quick deny rule blocking the  decommissioned ip address space sorted out the clients, and then lead another to a misconfigured rule, which was easily fixed.

So far, it’s making me look forward to Forefront v2 and what ISA 2008 or Threat Management Gateway as it’s been called, offers.

This is it so far. One happy Domain fully patched with Forefront happily sitting on all the machines and MOM agents all reporting in the the Forefront box.

No email yet, but will dig out the new and shiny Exchange 2007 cd for a bit of a challenge.

Had a dilemma – Should I install the security agents on the ISA servers? The ol’ defense in depth planning suggests it’s a jolly good idea, but several web site and other ISA notables say otherwise.

Time for a bit of research, me thinks!

Update - ISA servers shouldn’t be used as anything other than firewalls (no playing Quake Wars, surfing porn or reading email , I guess on the box any more then)

So the community feeling is FCS isn’t needed on ISA, but in case you haven’t harden the ISA or don’t trust your fellow admins check out this post on setting it up