Incorrect Canonicalization in Rules Engine

Article translations Article translations
Article ID: 321846 - View products that this article applies to.
This article was previously published under Q321846
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

SYMPTOMS

Some specific URLs are not blocked by the Rules engine even when they are denied by a Site and Content rule. If a Site and Content rule exists that denies access to a specific destination such as www.example.com, a user can still visit that site if they type the destination in the following format:
www.example.com.
Note the period at the end of the domain name (also known as the "root" in DNS terms).

CAUSE

This problem may occur because of incorrect canonicalization. The Internet Security and Acceleration (ISA) Server rules engine does not match a requested domain name that specifies the root (.) unless the domain in the Destination Set also contains the root (.).

RESOLUTION

You must install ISA Server Service Pack 1 (SP1) before you apply the following hotfix.

For additional information about how to obtain the latest ISA Server service pack, click the article number below to view the article in the Microsoft Knowledge Base:
313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack
The following file is available for download from the Microsoft Download Center:
Download Isahf174.exe now.
Release Date: May 8, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. To install the fix, run the self-extracting file. You do not have to restart the ISA Server computer. If the computer is part of an ISA Server array, you do not have to shut the whole array down; you can still install this fix on a one-by-one basis.

The English version of this fix should have the following file attributes or later:
   Date        Time   Version       Size     File name
   -----------------------------------------------------
   5-May-2002  11:30  3.0.1200.174  384,272  W3proxy.exe
				
NOTE: This fix also applies to the French, German, Spanish, and Japanese versions of ISA Server.


WORKAROUND

To work around this problem without the hotfix and block requests that specify the root such as
www.example.com.
you must add a destination for www.example.com. in the corresponding Destination set.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

For additional information about another problem that this hotfix resolves, click the article number below to view the article in the Microsoft Knowledge Base:
319374 Web Proxy Service Stops Responding

Properties

Article ID: 321846 - Last Review: October 24, 2013 - Revision: 2.3
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2000 Service Pack 1
Keywords: 
kbnosurvey kbarchive kbhotfixserver kbqfe kbbug kbenv kbfix kbqfe kbui KB321846

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com