Overview

This article describes how to configure extra ISA rules that allow ClearTunnel to coexist with rules that use "Content Type" tab filtering.

Prerequisites

  • ISA 2006
  • wspsrv.exe version 5.0.5721.250 or later (see this article )
  • ClearTunnel 1.2 or later
  • A working ClearTunnel setup without using "content type" limits. I.e. don't try all this advanced config until you have a simpler config working and tested.. If your setup already doesn't work, all this will probably just confuse the issue even further.

Theory

There are three ISA limitations that need to be overcome.

  1. Using content type restrictions on a rule causes that rule to be skipped during the initial https CONNECT request, so we have to make another rule which can handle those, or else all proxy clients will fail to establish https sessions.
  2. Unfortunately having that special rule to satisfy #1 causes a new problem: now all the content types you meant to restrict will be able to flow through the specially created rule! So we will have to craft and place the new rule so that it can only be used for CONNECTs, and also not harm other traffic.
  3. ISA cannot recognize the content type of some internal CT traffic, so we need another special rule to explicitly allow it, but not encounter again issue #2 where the special rule will be too widely applied.

Definitions

For the purposes of this discussion:

  • Proxy rules: All your normal forward web proxy rules, i.e. all http/https rules that you define to allow and control outbound web access. You wish to use the "Content Types" tab to restrict one or more of these rules.
  • Connect rule: The special rule created to address issues #1 and #2 above.
  • Certificate rule: The special rule created to address issue #3 above.
  • Certificate URL set: The URL set created to address issue #3 above.

Workaround

Create the Connect rule with the following properties:

  • Allow
  • HTTPS protocol
  • From Internal
  • To External
  • For whatever set of users you wish to allow to initiate HTTPS connections. This depends on your Proxy rules. It may be "all users", "all authenticated" or some other subset depending on your needs.
  • Position this rule below all your Proxy rules
  • Go into the Protocols tab and select Filtering and Configure HTTP
  • In the Methods tab, select Allow only specific methods
  • Add the method CONNECT to the list

Create the Certificate URL set:

  • A new URL set
  • ┬áContaining one item:

    http://*/06A95EBB-2ABB-489a-B85B-0E92846F2159* 
  • ┬áThat has to be exact, so double check it

Create the Certificate rule with the following properties:

  • Allow
  • HTTP and HTTPS protocols
  • From Internal
  • To Certificate URL set
  • For all users
  • Position this rule above all your Proxy rules

After applying these settings, you should now be able to use Content Type restrictions in your Proxy rules.

Getting Help

If you have questions about this issue or other ClearTunnel configuration questions, please open a support request for further assistance.