Link translation causes an endless loop when you use Web servers that redirect HTTP requests as HTTPS requests in ISA Server, Microsoft Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008

Article translations Article translations
Article ID: 924373 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Consider the following scenario:
  • You have a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2006, ISA Server 2004, Microsoft Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008 in a split DNS infrastructure.
  • You have a Web server that automatically redirects HTTP requests to Secure Socket Layer (SSL) requests.
  • You create a Web publishing rule for the Web server that redirects HTTP requests to HTTPS.
  • You use one of the following configurations:
    • You configure the Web listener to listen for HTTP requests and also to use bridging.
    • You configure the Web listener and the bridging for both HTTP and for SSL requests (HTTPS).
In this scenario, when the Web server receives an HTTP request, it redirects the request to the ISA server as an SSL request (HTTPS). For example, http://www.contoso.com is redirected to https://www.contoso.com.

Then, the ISA server, Microsoft Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008 translates SSL requests to HTTP requests and redirects it to the Web server. This causes an endless loop.

WORKAROUND

To work around this issue, use one of the following methods, as appropriate for your situation.

Method 1: Redirect HTTP to HTTPS

If you are running ISA Server 2006, you can use the new feature that is included with ISA Server 2006 to redirect HTTP to HTTPS. To do this, follow these steps:
  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. Expand Microsoft Internet Security and Acceleration Server 2006, expand Server Name, and then click Firewall Policy.

    Note For ISA Server 2006 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, expand Array Name, and then click Firewall Policy.
  3. On the Toolbox tab, click Network Objects, expand Web Listeners, right-click the Web listener, and then click Properties.
  4. Select Enable HTTP connections on port, and then confirm that the listening port for HTTP is 80. Confirm that Enable SSL (HTTPS) connections on port is selected and is listening on port 443.
  5. Select Redirect all traffic from HTTP to HTTPS.
  6. Click OK, and then click Apply to save the changes and to update the configuration.
If you are running Microsoft Forefront Threat Management Gateway Medium Business Edition or Windows Essential Business Server 2008, you can use the same feature that was introduced with ISA Server 2006 to redirect HTTP to HTTPS. To do this, follow these steps:
  1. Click Start, click Programs, and then click Microsoft Forefront Threat Management Gateway, Medium Business Edition Management under Microsoft Forefront Threat Management Gateway, Medium Business Edition.
  2. Expand Microsoft Forefront Threat Management Gateway, Medium Business Edition, expand Arrays, expand Array Name, and then click Firewall Policy.
  3. On the Toolbox tab, click Network Objects, expand Web Listeners, right-click the Web listener, and then click Properties.
  4. Select Enable HTTP connections on port, and then confirm that the listening port for HTTP is 80.
  5. Confirm that Enable SSL (HTTPS) connections on port is selected and is listening on port 443.
  6. Select Redirect all traffic from HTTP to HTTPS.
  7. Click OK, and then click Apply to save the changes and to update the configuration.

Method 2: Add explicit mappings

Add explicit mappings to the link translation dictionary. These explicit mappings will avoid an endless loop that is created when ISA server, Microsoft Forefront Threat Management Gateway Medium Business Edition, or Windows Essential Business Server 2008 translates SSL requests to HTTP requests and redirects them to the Web server.

For example, add an explicit "do nothing" string mapping such as https://www.contoso.com to https://www.contoso.com. This "do nothing" mapping overrides the unwanted translation that causes the endless loop. To do this, follow these steps:
  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. Expand Microsoft Internet Security and Acceleration Server 2006 or Microsoft Internet Security and Acceleration Server 2004, expand Server Name, and then click Firewall Policy.
  3. In the details pane, click the applicable Web publishing rule.
  4. On the Tasks tab, click Edit Selected Rule.
  5. On the Link Translation tab, click Configure, and then click Add.
  6. In the Replace this text box, type the explicit string that you want to add to the link translation dictionary. For example, type https://www.contoso.com.
  7. In the With this text box, type the same string that you added in step 6. For example, type https://www.contoso.com again.

    Note When you type the same string in the Replace this text box and the With this text box, the ISA server does not translate SSL requests to HTTP requests for that string entry.
  8. Click OK two times.
  9. Click Apply, and then click OK.
For Microsoft Forefront Threat Management Gateway Medium Business Edition or Windows Essential Business Server 2008, follow these steps:
  1. Click Start, click Programs, and then click Microsoft Forefront Threat Management Gateway, Medium Business Edition Management under Microsoft Forefront Threat Management Gateway, Medium Business Edition.
  2. Expand Microsoft Forefront Threat Management Gateway, Medium Business Edition, expand Arrays, expand Array Name, and then click Firewall Policy.
  3. In the details pane, click the applicable Web publishing rule.
  4. On the Tasks tab, click Edit Selected Rule.
  5. On the Link Translation tab, click Configure, and then click Add.
  6. In the Replace this text box, type the explicit string that you want to add to the link translation dictionary. For example, type https://www.contoso.com.
  7. In the With this text box, type the same string that you added in step 6. For example, type https://www.contoso.com again.
    Note When you type the same string in the Replace this text box and the With this text box, the FTMG or WEBS 2008 server does not translate SSL requests to HTTP requests for that string entry.
  8. Click OK two times.
  9. Click Apply, and then click OK.

MORE INFORMATION

For more information about ISA Server 2006, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/forefront/edgesecurity/bb758895.aspx
For more information about ISA Server 2004, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/forefront/edgesecurity/bb758895.aspx

Properties

Article ID: 924373 - Last Review: December 29, 2008 - Revision: 3.1
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
  • Windows Essential Business Server 2008 Standard
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition
Keywords: 
kbtshoot kbprb KB924373

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com