Article ID: 813864 - View products that this article applies to.
This article has been archived. It is offered "as is" and will no longer be updated.
When you use Content Types (HTTP Content) in Site and Content Rules to deny or allow requests for downloading specific files (for example, .exe files), ISA Server does not deny or allow the request if you only have the file name extension (for example, .exe) configured in the appropriate Content Group.
This problem occurs only when you serve outgoing HTTP request through ISA Server.
This problem does not occur if you include the content type that is appropriate for the file name extension that you want to block or allow in the correct Content Group (for example, .application/octet-stream for the .exe file name extension). However, if you do this, you may experience other problems. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
319073(For more information about how to set the Content Type, see the "More Information" section of this article.)
(https://support.microsoft.com/kb/319073/EN-US/ )Web Pages May Not Display Correctly When You Deny the Application/Octet-Stream Content Type
The behavior occurs because ISA Server cannot deny or allow http requests based on file name extensions, regardless of whether you have configured this setting in HTTP Content of the appropriate Site and Content Rule.
To resolve this problem, obtain the Update Rollup for ISA Server Services. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/810493/EN-US/ )INFO: Update Rollup for ISA Server Services
Hotfix InformationWARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
After you apply this hotfix, you can control whether ISA Server blocks or allows requests based on file name extension or based on Content Type:
(https://support.microsoft.com/kb/297324/EN-US/ )Multiple Authentication Dialog Boxes Are Displayed When You Use Access Control
After you apply the hotfix and you set the
CheckOnlyFileExtensionAsContentType = 1registry value, you may notice that HTTP requests from some users are denied to URLs where you do not want to block requests. This behavior did not occur before you applied the hotfix.
This problem occurs because ISA Server denies all requests to the file name extensions that you have configured in the Site and Content Rules, regardless of whether the response is a file download (Binary Stream) or http content.
If you notice this issue, you can exclude URLs from being denied. Add these URLs as exceptions to the Site and Content Rules where you have defined the Content to be blocked. For example, assume that you have the following Site and Content Rule for blocking .exe file name extensions:
Site and Content Rule Name: Block exeRequests to http://www.northwindtraders.com/example.exe are denied because this rule blocks them. However, you do not want these requests to be blocked because the response to these requests is not the binary stream of the file (download). The response is ordinary text/html because this is a .cgi file that generates http content.
Enabled: True Rule
Applies to: All Destinations
Access to the specified destinations: Denied
Rule Applies to: Any Request
Rule Applies to: Selected Content Groups
Content Groups Selected: exe file extension
To exclude this URL from being blocked, follow these steps: