FIX: Site and Content Rules Do Not Filter Based on File Name Extensions

Article ID: 813864 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

When you use Content Types (HTTP Content) in Site and Content Rules to deny or allow requests for downloading specific files (for example, .exe files), ISA Server does not deny or allow the request if you only have the file name extension (for example, .exe) configured in the appropriate Content Group.

This problem occurs only when you serve outgoing HTTP request through ISA Server.

This problem does not occur if you include the content type that is appropriate for the file name extension that you want to block or allow in the correct Content Group (for example, .application/octet-stream for the .exe file name extension). However, if you do this, you may experience other problems. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
319073
(http://support.microsoft.com/kb/319073/EN-US/ )
Web Pages May Not Display Correctly When You Deny the Application/Octet-Stream Content Type
(For more information about how to set the Content Type, see the "More Information" section of this article.)
Back to the top | Give Feedback

CAUSE

The behavior occurs because ISA Server cannot deny or allow http requests based on file name extensions, regardless of whether you have configured this setting in HTTP Content of the appropriate Site and Content Rule.
Back to the top | Give Feedback

RESOLUTION

To resolve this problem, obtain the Update Rollup for ISA Server Services. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
810493
(http://support.microsoft.com/kb/810493/EN-US/ )
INFO: Update Rollup for ISA Server Services

Hotfix Information

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support
(http://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
After you apply this hotfix, you can control whether ISA Server blocks or allows requests based on file name extension or based on Content Type:
  • If you want ISA Server to block requests based only on the file name extension, add the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\CheckOnlyFileExtensionAsContentType : DWORD : 1
  • If you want ISA Server to block requests based only on Content Type, add the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\CheckOnlyFileExtensionAsContentType : DWORD : 0
Note If you receive authentication prompts after you install this hotfix and add the correct registry entries, apply the registry change that appears in the following article in the Microsoft Knowledge Base:
297324
(http://support.microsoft.com/kb/297324/EN-US/ )
Multiple Authentication Dialog Boxes Are Displayed When You Use Access Control
Back to the top | Give Feedback

MORE INFORMATION

After you apply the hotfix and you set the
CheckOnlyFileExtensionAsContentType = 1
registry value, you may notice that HTTP requests from some users are denied to URLs where you do not want to block requests. This behavior did not occur before you applied the hotfix.

This problem occurs because ISA Server denies all requests to the file name extensions that you have configured in the Site and Content Rules, regardless of whether the response is a file download (Binary Stream) or http content.

If you notice this issue, you can exclude URLs from being denied. Add these URLs as exceptions to the Site and Content Rules where you have defined the Content to be blocked. For example, assume that you have the following Site and Content Rule for blocking .exe file name extensions:
Site and Content Rule Name: Block exe
Enabled: True Rule
Applies to: All Destinations
Access to the specified destinations: Denied
Rule Applies to: Any Request
Rule Applies to: Selected Content Groups
Content Groups Selected: exe file extension
Requests to http://www.northwindtraders.com/example.exe are denied because this rule blocks them. However, you do not want these requests to be blocked because the response to these requests is not the binary stream of the file (download). The response is ordinary text/html because this is a .cgi file that generates http content.

To exclude this URL from being blocked, follow these steps:
  1. Open the ISA Server MMC.
  2. Click Policy Elements.
  3. Click Destination Sets.
  4. Right-click Destination Sets, and then add a new Destination Set named exception.
  5. Type www.northwindtraders.com for the Destination of this new destination set.
  6. Click Access Rules.
  7. Click Site and Content Rules.
  8. Open the blocking .exe extensions Site and Content Rule, and then click Destinations.
  9. Under This Rule applies to, click All Destinations except Selected Set.
  10. Click the exception destination set that you created in step 4.
Back to the top | Give Feedback

Properties

Article ID: 813864 - Last Review: June 14, 2007 - Revision: 1.5
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2000 Service Pack 1
Keywords: 
kbautohotfix kbhotfixserver kbqfe kbqfe kbisaserv2000presp2fix kbfix kbbug KB813864
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top