Security Update MS05-034 might break outbound Web access on ISA Server 2000

Applying the security update MS05-034 might break outbound Web access on ISA Server 2000.

Security update MS05-034 might break outbound Web access on ISA Server 2000

By Stefaan Pouseele
June 2005
Last Update: 21/07/2005

After applying Microsoft Internet Security and Acceleration (ISA) Server 2000 Cumulative Security Update (version 1200.430 published on 14/6/2005), internal users might be unable to get outbound Web access. Instead they receive the following error message from the ISA server:

HTTP 502 Proxy Error - The ISA Server requires a secure channel connection to fulfill the request. ISA Server is configured to respond to outgoing secure (that is, Secure Sockets Layer (SSL)) channel requests. (12211) Internet Security and Acceleration Server.

The problem seems to be caused by the fix described in the KB article Basic Credentials May be Sent over an External HTTP Connection When SSL is Required. Although this fix should only change the default behavior on the Inbound Web Request listener, apparently it also changes the default behavior on the Outgoing Web Request listener. 

Therefore, if you need Basic Authentication on the Outgoing Web Request listener, add the following registry key to roll back that "fix":

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\AllowAskBasicAuthOverNonSecureConnection : DWORD : 1

Microsoft is currently trying to gather numbers to understand the impact of this issue. So if you have customers with this complain, please call Microsoft PSS.

Update July 21, 2005
-----------------------

To correct the above problem, a hotfix is now available. Also, a new KB article 903236 describing the problem and solution should be live within a few days.

 

About Stefaan Pouseele

Stefaan Pouseele is a network engineer, working for Cevi NV in Belgium. On October 1, 2002 he received for the first time the prestigious Microsoft Most Valuable Professional (MVP) Award 2003 for his contribution to the ISA Server online community. To this very day, his award period was extended to 2008.

Click here for Stefaan Pouseele's section.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on ISAserver.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the ISAserver.org Monthly Newsletter, written by ISA expert Dr. Tom Shinder, containing news, the hottest tips, ISA links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly ISAserver.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an ISAserver.org member!

Discuss your ISA Server issues with thousands of other ISA Server experts. Click here to join!

Solution Center

Readers' Choice

Which is your preferred ISA Server Content Security solution?