Figure 1 : Add-in component supports HTTP filter in ISA Server 2006 HTTP
Webfilter function
Webfilter in ISA Server 2006 is responsible for performing the following tasks:
• Scan and edit HTTP requests.
• Analysis of network traffic.
• Scan and edit HTTP responses.
• Eliminate some specific HTTP responses.
• Encrypt and compress data.
There are also many other functions that are not very important, so we are not easy to list here.
Important :
The HTTP Filter in ISA Server 2006 has a number of specific rules, except for the maximum length set for the Header. The maximum length for Header (Maxium Header) follows all the rules in the firewall with HTTP protocol definitions like other components.
Noteworthy :
The HTTP Filter in ISA Server 2006 is also capable of filtering HTTPS traffic but only in case of comparison Web Servers using HTTPS Bridging. If you want to check that HTTPS is about to expire via ISA Server 2006 HTTP filters, you must use the software developed by the third party.
Configure the HTTP Filter filter
If you want to start configuring the HTTP filter, right-click on a rule that contains the HTTP protocol definition and select Configure HTTP from the context menu.
Figure 2 : General settings for ISA Server 2006 HTTP filters.
Request Header
Maximum Headers length (bytes) : is the maximum number of bytes for an HTTP request in the URL and HTTP Header until ISA Server removes the request.
Request Payload
Maximum payload length (bytes) : With this option you can limit the maximum number of bytes for users when sending requests such as HTTP POST in the Web Server environment.
URL-Protection
Maximum URL Length (Bytes) : The maximum length of a URL is allowed.
Maximum Query length (Bytes) : the maximum length of a URL in an HTTP request.
Verify normalization
You can select this check box to specify the URL path requirements containing uppercase characters after the lowercase letters and will be replaced with lowercase letters. Normalization is the process of decoding encrypted URL requests. After decoding, the URL will be normal again to make sure that the program does not use the% character when coding the URL. If the HTTP Filter finds a different point in the URL after the second normalization, the requests will be removed.
Block High bit character
URL paths containing Double-byte Character (DBCS) or Latin1 will be removed if this setting is enabled. A normal trigger setting will remove languages that require more than 8 bits in the character display.
Executables
Remove responses that contain Windows executable content. This option eliminates the download and execution of executable content such as EXE files.
Next we will configure the allowed or removed HTTP methods.
Figure 3 : HTTP methods
In this example we are removing the HTTP POST command so no one can upload content to external websites.
Figure 4
Remove executables
With this option you can remove or allow some specific file extensions in the Firewall (Firewall) rule.
Figure 5 : Use ISA Server 2006 to remove some file extensions
Remove requests that contain vague extension names
This option instructs the HTTP filter to remove all extended file names ISA Server 2006 cannot be identified.
In this example we will remove access to the .EXE file extension name.
Figure 6 : Removing the extension file name .EXE
HTTP Header control
When a Web Client sends a request to the Web Server or the Web Server responds to the request, the first part of the answer is an HTTP request or HTTP response. After the HTTP request or HTTP response, Client or Server sends HTTP Header. The Request Header field allows the Client to send additional information to the Server. HTTP Header contains information about browsers, operating systems and licensing details . The client Header uses the User-Agent distribution to determine which application is responsible for executing the request.
With the help of the HTTP Filter, you can remove certain HTTP Headers if you want.
Figure 7 : Header section of the HTTP Filter filter.
The settings in the Server Header field give the administrator the ability to control the removal of HTTP Headers or edit HTTP Headers in replies and some other settings.
In the example below we use the HTTP Header component in ISA Server 2006 to remove Kazaa, the information is on the Request Header.
Figure 8 : Eliminate Kazaa
Symbols in HTTP Filter
An HTTP symbol may exist in the HTTP body or the header. You can use HTTP symbols to deny execution on specific applications. To find a specific HTTP symbol, you must know which signature is used for which application. Some documents on the Internet can help you get more information about HTTP symbols, but you can also use network sniffer to identify these symbols. I will show you how to use the network sniffer below.
Important :
Filtering HTTP symbols in ISA Server 2006 can only be performed when requests and responses are UTF-8 encoded.
Figure 9 : Removing HTTP symbols
In the example below we will remove access to the Windows Live Messenger protocol.
Figure 10 : Remove Windows Live Messenger
If you want to know more about application signs, please click here.
Important :
ISA Server 2006 only checks the first 100 bytes in the request and response body. You can increase the maximum number of bytes but this will make some Server implementations less effective.
HTTP error message if HTTP Filter removes content
Figure 11 : Notice of HTTP Filter access
Find out how specific HTTP Headers are
To find unknown HTTP symbols, you can use a network sniffer like Windows Netmon 3.0 to detect HTTP network traffic.
The illustration below shows a sample network pattern detection on Microsoft Netmon 2.0, but you can use any other network monitoring program such as Wireshark (formerly Ethereal).
Figure 12 : Detecting Netmon HTTP
This example provides a type request (GET), requires HTTP Header (HTTP / 1.1) User-Agent (Mozilla / 4.0) and a symbol (MSIE 6.0).
HTTPFILTERCONFIG.VBS
You can use HTTPFILTERCONFIG.VBS from directory C: PROGRAMMEMICROSOFT ISA SERVER 2006 SDKSDKSAMPLESADMIN on the ISA Server 2006 SDK to import and export HTTP-Filter configurations.
Figure 13 : HTTPFILTERCONFIG.VBS on the ISA 2006 SDK
Conclude
In this article we learned how the ISA Server 2006 HTTP filter works. The HTTP Filter in ISA Server 2006 is a great tool to remove some dangerous content to protect against malicious code. or Trojan, worm. You can also use the HTTP Filter to remove specific HTTP symbols. Removing these symbols will help administrators restrict certain types of applications such as Windows Live Messenger. These types of applications are created from HTTP if the protocol is normally removed by restrictive portions of the firewall.