Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

Blogs

ISA 2004 vs HTTP Compression

  • Comments 5
  • Likes

Been a while since a dedicated ISA post, so Happy New Year to my ISA-focused readers!

I spotted this post in my ISA Server watch list, from the new Port 80 Software blog.

As they mentioned, we've published the mother of all KB articles on how the HTTP Filter in ISA 2004 behaves with compressed (Gzip encoded) content:
http://support.microsoft.com/default.aspx?scid=kb;en-us;838365

The really, really short version is that for Web Publishing rules, the IFPCWebPublishingProperties::SendAcceptEncodingHeader property can be used to toggle compressed content on, but ISA won't be able to inspect the contents of compressed traffic thereafter - only the headers. So, you get compression at the cost of inspection (and caching of the compressed content, for the same sort of reason).

The OWA publishing wizard enables SendAcceptEncodingHeader automatically for OWA rules, but if you set your own "faux OWA" rule up with the Web Publishing Wizard, the property isn't set.

My initial reaction to anything with a :: (blup blup) in it is "oh no! I have to re-learn C++!", but there's no cause for alarm - ISA is easily scripted- just grab the SDK, and take a look through the samples. If you want to throw your own script together to toggle this property, I've posted an example below. Of course, the truly devious will just create an OWA rule, then re-purpose it to their own needs :). As always, unsupported, and there's more than one way to skin a cat, mileage may vary, etc.

The code is here:

''''' SAEHeader.vbs

''''' This script is a SAMPLE ONLY and is provided as is, without warranty

''''' The user variable is at the bottom of the script, called "rulename"

 

Function ToggleClientAcceptHeaders(targetrulename)

 

    Dim root

    Set root = CreateObject("FPC.Root")

 

    Dim firewall    ' An FPCArray object

    Dim policyrules ' An FPCPolicyRules collection

 

    Set firewall = root.GetContainingArray

    Set policyrules = firewall.ArrayPolicy.PolicyRules

 

      for each rule in policyrules

 

            if rule.Name = targetrulename  then

           

                  wscript.echo " Found target rule: " + rule.Name

 

                  if rule.WebPublishingProperties.SendAcceptEncodingHeader = false then

                 

                        wscript.echo "   SendAcceptEncodingHeader WAS DISABLED, now ENABLING."

                        rule.WebPublishingProperties.SendAcceptEncodingHeader = true

                       

                  elseif rule.WebPublishingProperties.SendAcceptEncodingHeader = true then

                 

                        wscript.echo "   SendAcceptEncodingHeader WAS ENABLED, now DISABLING."

                        rule.WebPublishingProperties.SendAcceptEncodingHeader = false

                       

                  end if

 

                  wscript.echo "Saving Rule..."

                  rule.Save

 

            end if

 

      next

 

      wscript.echo "Done."

 

End Function

 

''''''''''''''''''''''''''

''''' Program starts here

''''''''''''''''''''''''''

 

dim rulename

rulename = "Test Headers Rule" ' Should be unique

 

ToggleClientAcceptHeaders(rulename) ' set the option for all rules with this name

--

This gets hit in some scenarios from time to time - I hit this with an OWA deployment where the OWA wizard hadn't been used to configure the publishing rules.  The effect in that case was to disable ZIP files being downloaded through the ISA Server, as they were sniffed to be Zip encoded, and disallowed (the Firewall Logs showed something about the HTTP filter dropping the traffic).

Comments
  • Tiernans Blog » Enabling compression to pass though ISA 2004

  • >ISA won't be able to inspect the contents of compressed traffic thereafter - only the headers

    Erm, maybe I'm missing something, but why not? Just decompress it and look at the data. It ain't encrypted.

  • You're not missing anything; it just wasn't designed to do that (yet?).

    It's something that a Web Filter could do in conjunction with ISA, so that ISA inspects the decompressed content before the filter re-encodes it.

    There was some (outside MS) talk of someone coding something like this a while back, but I don't think it ever actually happened.

  • Squeeze those bits out!
     
    http://weblogs.asp.net/tristank/archive/2005/01/12/351223.aspx