Explanation on the 502 Error to Delta and Sun Sites
Information from Jim Harrison regarding the problems with connecting to the Delta, Sun and other sites that generated the 502 error:
Disabling filters may not help with www.delta.com, www.sun.com or any
site that causes ISA 2004 SP2 to generate the following message:
Error Code: 502 Proxy Error. The HTTP request includes a non-supported header. Contact your ISA Server administrator. (12156)
The reason for the behavior you’re seeing is that new logic that was added in ISA 2004 SP2 to mitigate HTTP request smuggling.A The process for this attack is a bit involved but the short story is that HRS depends on sending response headers that include both “Content-length:” and “transfer-encoding: chunked”.A
A whitepaper on the subject is available here:
https://www.watchfire.com/securearea/whitepapers.aspx
RFC-2616 defines those two headers for the purpose of providing quantitative content validation for the receiver and states *very clearly* that the server MUST NOT combine them in the same response.
If the server is configured such that it does violate this edict, RFC-2616 then requires the receiving entity to ignore the content-length value and instead use the chunked-encoding technique to validate the length of the HTTP body.A
This places a processing burden on the receiving entity (ISA, in this case), since a chunked-encoded transfer can’t be quantitatively validated until the transfer is completed.A In the case of a proxy, additional processing is imposed due to caching behavior that may be dependent on content-size.
The reason those sites are either failing outright (www.delta.com) or rendering poorly (www.sun.com) is because we chose to reject those responses out-of-hand.A Since RFC-2616 clearly states “don’t combine those headers” and doing so is a demonstrably malicious act, it seemed unlikely that ISA would cause problems for any other than malicious sites, and in fact, our testing validated this belief.A
As it turns out, there are quite a few legitimate sites out there that violate this part of RFC-2616 and so we have had to rethink our answer to this problem.
PSS will have a public fix available shortly.
Jim
Mike Says:
March 6th, 2006 at 9:13 am
Jim,
A few of questions who is PSS?
Is there a published phone number?
Is there any other place to get this “Private” fix?
Thanks,
Mike
Thomas Shinder Says:
March 6th, 2006 at 9:17 am
Hi Mike,
Check out http://support.microsoft.com/Default.aspx for PSS support options.
HTH,
Tom
Russ Says:
March 6th, 2006 at 9:56 am
I have been trying to get this fix all morning off of microsoft and no one knows anything about a “private test hot-fix for ISA 2004″ I have called 1-800-936-4900, am i doing this right?
Russ Says:
March 6th, 2006 at 11:05 am
Well after a good hour on the phone the tech had me disable the DiffServ webfilter and the compression web filter..worked like a charm after that,
Thanks,
Russ
Thomas Shinder Says:
March 6th, 2006 at 11:17 am
Hey guys,
PSS should now be up to speed on the fix. Give ‘em a call now and they’ll be able to fix you up.
HTH,
Tom
Thomas Shinder Says:
March 6th, 2006 at 7:08 pm
Hey guys,
PSS will have a public fix shortly. Stay tuned and I’ll announce its availability in the blog as soon as its out.
Tom
Thomas Shinder Says:
March 6th, 2006 at 9:07 pm
“Russ Says:
March 6th, 2006 at 11:05 am e
Well after a good hour on the phone the tech had me disable the DiffServ webfilter and the compression web filter..worked like a charm after that,
Thanks,
Russ”
Hey, isn’t that what I recommended in my blog post on branch office features?
Thanks!
Tom
Mike Says:
March 7th, 2006 at 12:14 pm
I followed the post on the branch office features, disabled the diffserv, compression, and caching filters, it actually made things worse.
I just spent an hour on the phone with MS and they refuse to help unless I provide them with the article # which isn’t available yet (or $245 to open a case). So… Tom, is there anymore information on when the public fix will be available?
Thomas Shinder Says:
March 7th, 2006 at 12:22 pm
Hi Mike,
PSS is coming out with a public fix very soon. So hold off on PSS and wait. It should be very very soon.
Tom
Mike Says:
March 7th, 2006 at 12:26 pm
Tom,
Thanks, I just have a CEO that is beating me up because he can’t get his stock quotes anymore…
Mike
Thomas Shinder Says:
March 7th, 2006 at 12:32 pm
Hi Mike,
Arg! I feel your pain. Might be time to uninstall SP2 if that’s what’s going on for you now.
Tom
Michael Brunson, Carlsbad, CA Says:
March 7th, 2006 at 5:27 pm
Is PSS also dealing with the ITunes issue in this patch? I can’t find the thread that deals with HTTP compression and whether it is important or not.
Michael
Thomas Shinder Says:
March 7th, 2006 at 8:35 pm
Hi Michael,
I wasn’t aware that SP2 did anything to iTunes.
Tom
Michael Brunson, Carlsbad, CA Says:
March 7th, 2006 at 9:06 pm
Hi Tom,
Here is the thread I found that suggested turning HTTP compression filter off:
http://www.mcse.ms/archive99-2006-2-2030931.html
I now have two small biz customers who have complained about itunes download failing after SP2. Turning the filter off definitely fixes the problem, but I am not sure of the security ramifications.
Michael
Thomas Shinder Says:
March 7th, 2006 at 9:08 pm
Hi Michael,
Not sure. I suspect its the same issue and it should be fixed with SP2 update.
Tom