HTTP compression capabilities in ISA Server 2004

Content Overview: Support for HTTP compression (common for gzip compression) is provided in ISA Server 2004, but HTTP compression is prohibited in most environments from a security perspective. With this article, you can learn how to enable support for HTTP compression in ISA Server 2004.

Providing support for HTTP compression (common with gzip compression) in ISA Server 2004, ISA Server 2004 can forward compressed HTTP data obtained from an external Web server to client computers in the ISA firewall protection network, and ISA The Web publishing rule for Server 2004 allows the published internal Web server to send compressed HTTP data to clients in the browsing external network. However, it should be noted that this "compressed HTTP data" is only the content of the packet is compressed, HTTP header information is not compressed.

Web publishing rules in ISA Firewall can be configured to forward the original accept-encoding headers sent by the customer to the published Web server. If the customer sends the accept-encoding request header, which indicates that it can accept the compressed content, the Web server sends the compressed HTTP data to it, and it points out the compression in the HTTP header. ISA firewall also forwards the data packets from the Web server reply to external customers.

ISA firewall does not compress the body of the packet, and for compressed data, ISA firewall does not perform any application-layer checks or link conversions. However, the ISA firewall handles the HTTP headers of the compressed HTTP transport as well as HTTP headers that handle uncompressed HTTP transmissions; Similarly, any matching access rule or HTTP application layer filtering is still valid for compressed HTTP data. However, if you configure the HTTP filter with the signature or execution method of application layer filtering, and the transmitted HTTP data is encoded (compressed), then ISA Firewall will reject the communication, will display the request is rejected by the HTTP Filter error page (such as: Blocked by the HTTP Security Filter:the response The content is encoded and cannot are scanned.). Because the ISA firewall does not check for encoded (compressed) HTTP data, if the firewall policy requires it to be checked, then ISA Firewall will take security into account and reject the unchecked data transfer.

Also, if the ISA firewall deletes the client-sent

"Accept-encoding" HTTP header, and the Access Web server still returns compressed data, then ISA Firewall will also refuse to communicate.

ISA firewall does not support caching of compressed content, nor does it cache content that contains the content-encoding request header, unless it is a Content-encoding identification request header. In general, HTTP transmissions are not compressed, but there are two common applications where Microsoft Outlook Web Access (OWA) and Microsoft BizTalk Server compress HTTP transmissions.

Depending on the situation, the Web Proxy component of ISA firewall has the following behavior for compressed HTTP transmissions:? In forward proxy mode (for example, Web Proxy), ISA firewall always removes the accept-encoding request headers sent by the client, so the Web server does not compress the HTTP transmission of the reply;

In reverse proxy mode (for example, Web Server publishing), you can decide whether to remove the accept-encoding request header by controlling the ifpcwebpublishingproperties of each Web publishing rule:: Sendacceptencodingheader COM Component Properties, followed by an example.

However, there are the following differences between OWA Publishing and typical Web publishing:? In the Web publishing rule for OWA, the default value for Sendacceptencodingheader is true so that the ISA firewall does not remove the accept-encoding headers sent by the client;

In a typical Web publishing rule, the default value for Sendacceptencodingheader is false so that the ISA firewall removes the Accept-encoding headers sent by the client;

ISA firewall forwards compressed HTTP data transmitted by the published OWA server, but does not compress or decompress it, nor do any stateful filtering or link conversions, but only forwards.

The HTTP filter for ISA firewall provides signature matching for packet headers and packet principals, but because ISA firewall cannot check for compressed HTTP transmissions, which reduces security, you may want to block encrypted HTTP transmissions by configuring HTTP filters to block, The following steps are performed:

1. Open the ISA Firewall Management console and expand the server name;

2. Click on the firewall policy, right-click the access rule you want to configure, and click Configure HTTP;

3. Click on the Header tab and click Add;

4. In the search list, click on the request header;

5. In HTTP header text box, enter content-encoding, then click OK;

6. Click OK again to return to the Firewall policy Panel, click Apply button to save modify and update firewall policy;

Because compressed HTTP transmission greatly reduces the security of the network, ISA rejects it by default. However, in the actual use, many websites or forums in order to improve the speed of network access, a large number of using gzip to compress. Perhaps you want to publish the site to use gzip compression, at this time, you need to configure the ISA firewall to allow accept-encoding request headers.

Note: It is not possible to use the OWA Publishing Wizard to forge a OWA publishing rule that allows the accept-encoding request header, only by modifying the Ifpcwebpublishingproperties::sendacceptencodingheader COM Component Properties.

On Tristank Blog posted on how to modify this attribute of the technical article, the modified code as follows, copied to Notepad, save as a VBS file, modify the rule name of the tail of the file you need to modify the rule name, run can:

==================================================================================

"" "Saeheader.vbs

' This script is ' a ', "is" provided as is, without warranty

"" The user variable is at the bottom of the script, called "RuleName"

Function toggleclientacceptheaders (Targetrulename)

Dim Root

Set root = CreateObject ("FPC.") Root ")

Dim Firewall ' an FPCArray object

Dim Policyrules ' an FPCPolicyRules collection

Set firewall = root. GetContainingArray

Set policyrules = firewall. Arraypolicy.policyrules

foreach rule in Policyrules

If rule. Name = Targetrulenamethen

WScript.Echo "Found Target rule:" + rule. Name

If rule. Webpublishingproperties.sendacceptencodingheader = Falsethen

WScript.Echo "Sendacceptencodingheader is DISABLED, now enabling."

Rule. Webpublishingproperties.sendacceptencodingheader = True

ElseIf rule. Webpublishingproperties.sendacceptencodingheader = Truethen

WScript.Echo "Sendacceptencodingheader is ENABLED, now disabling."

Rule. Webpublishingproperties.sendacceptencodingheader = False

endif

WScript.Echo "Saving Rule ..."

Rule. Save

endif

Next

WScript.Echo "Done."

Endfunction

''''''''''''''''''''''''''

"" "Starts here

''''''''''''''''''''''''''

Dim rulename

RuleName = "Test Headers rule" ' Should is unique, modify the name of the rules you want to modify

Toggleclientacceptheaders (RuleName) ' Set the option for all rules with this name

=================================================================================

Restart the ISA Server service after the modification succeeds.

In this case, however, you will need to disable the download of the zip file through the ISA firewall, because the ISA firewall will think that the zip file is zip encoded and will deny access, and there will be records in the log. In addition, you can no longer configure HTTP application layer filtering, as explained earlier, and from a security standpoint, ISA firewall rejects data that it cannot check.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/