ClusterFunk

I recently had to debug this tricky little problem with ISA 2006. ISA decided for some reason (that I am yet to get to the bottom of), that it didn’t like the Location response header received from the web servers and changed the header from  HTTPS://hostname/url to HTTP://hostname/url .

First off I tried to eliminate any ISA functionality that may cause this behaviour by design as I have ZXTMs in the environment I disabled link translation globally and checked that the HTTP filter on the listener wasn’t configured to manipulate response headers in anyway.

Here’s the problem (This is a complex local government network with many thousands of users at tens, if not hundreds of WAN linked locations).

The Web Server has a site that controls SSL. The client requests a URL that needs to be SSL. The web server issues a HTTP 302 redirect see below. Between the Internal Interface of ISA server and the External Interface the Location Header in the response to the client is modified from HTTPS to HTTP. this is bad and results in an infinite loop of request and 302 response. 

Request and HTTP 302 Response

Wireshark capture at Zone B ISA

We still have a HTTPS URL in the Location Header.

Wireshark Capture at Zone A ISA

And now we don’t have a HTTPS Location Header

Anyone who know why ISA would modify the Location header in the response please feel free to enlighten me . The ISA configuration is a basic firewall configuration with web publishing rule sending requests to ZXTM IP behind the ISA internal interfaces.

In a less complex deployment you would probably would not have this issue but this solution had ISA due to client requirements to use some of the functionality provided by ISA Server.

ZXTM traffic script to the rescue!

This is a problem that can be addressed in a number of ways. You could add a custom HTTP header which you checked once the response hits the external Interface on the ZXTM or in this example the response body also contained the full https URL so the traffic script below looks for this and modifies the Location Header if it finds a 302 response like this:
 

$responseLocation = http.getResponseHeader("Location");
$body = response.get();
$responseCode = http.getResponseCode();

log.info( "Location at Zone A ZXTM is : " . $responseLocation );
log.info( "Body is : " . $body );

# Test for HTTP 302, Location is HTTP and body contains HTTPS

if (($responseCode == 302) && (string.startsWith($responseLocation,"http://")) && ( string.contains($body, "a href=’https://")) ){

# Rewrite location header
$responseLocation = string.replace($responseLocation, "http:", "https:");

#log.info( "Location has been rewriten to : " . $responseLocation );

http.setResponseHeader( "Location", $responseLocation );
}

The traffic script is so powerful and this is why I love working with ZXTMs!

Happy Scripting….