This article has been archived. It is offered "as is" and will no longer be updated.
When you use Content Types (HTTP Content) in Site and Content Rules to deny or allow requests for downloading specific files (for example, .exe files), ISA Server does not deny or allow the request if you only have the file name extension (for example, .exe) configured in the appropriate Content Group.
This problem occurs only when you serve outgoing HTTP request through ISA Server.
This problem does not occur if you include the content type that is appropriate for the file name extension that you want to block or allow in the correct Content Group (for example, .application/octet-stream for the .exe file name extension). However, if you do this, you may experience other problems. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
319073 Web Pages May Not Display Correctly When You Deny the Application/Octet-Stream Content Type
(For more information about how to set the Content Type, see the "More Information" section of this article.)
The behavior occurs because ISA Server cannot deny or allow http requests based on file name extensions, regardless of whether you have configured this setting in HTTP Content of the appropriate Site and Content Rule.
To resolve this problem, obtain the Update Rollup for ISA Server Services.For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
810493 INFO: Update Rollup for ISA Server Services
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. After you apply this hotfix, you can control whether ISA Server blocks or allows requests based on file name extension or based on Content Type:
If you want ISA Server to block requests based only on the file name extension, add the following registry key:
Note If you receive authentication prompts after you install this hotfix and add the correct registry entries, apply the registry change that appears in the following article in the Microsoft Knowledge Base:
297324 Multiple Authentication Dialog Boxes Are Displayed When You Use Access Control
After you apply the hotfix and you set the
CheckOnlyFileExtensionAsContentType = 1
registry value, you may notice that HTTP requests from some users are denied to URLs where you do not want to block requests. This behavior did not occur before you applied the hotfix.
This problem occurs because ISA Server denies all requests to the file name extensions that you have configured in the Site and Content Rules, regardless of whether the response is a file download (Binary Stream) or http content.
If you notice this issue, you can exclude URLs from being denied. Add these URLs as exceptions to the Site and Content Rules where you have defined the Content to be blocked. For example, assume that you have the following Site and Content Rule for blocking .exe file name extensions:
Site and Content Rule Name: Block exe Enabled: True Rule Applies to: All Destinations Access to the specified destinations: Denied Rule Applies to: Any Request Rule Applies to: Selected Content Groups Content Groups Selected: exe file extension
Requests to http://www.northwindtraders.com/example.exe are denied because this rule blocks them. However, you do not want these requests to be blocked because the response to these requests is not the binary stream of the file (download). The response is ordinary text/html because this is a .cgi file that generates http content.
To exclude this URL from being blocked, follow these steps:
Open the ISA Server MMC.
Click Policy Elements.
Click Destination Sets.
Right-click Destination Sets, and then add a new Destination Set named exception.
Type www.northwindtraders.com for the Destination of this new destination set.
Click Access Rules.
Click Site and Content Rules.
Open the blocking .exe extensions Site and Content Rule, and then click Destinations.
Under This Rule applies to, click All Destinations except Selected Set.
Click the exception destination set that you created in step 4.