Export (0) Print
Expand All

Typical HTTP Policies for Web and Outlook Web Access Publishing Rules

If you do not want to create your own HTTP policy, start with these baseline HTTP policies for Web and Exchange Web client access publishing, and modify them to match your corporate policy.

If you do not want to configure these policies through the ISA Server user interface (UI), the Extensible Markup Language (XML) document and instructions for importing each of the policies are provided in Appendix A: Importing Typical HTTP Policies for Web and Outlook Web Access Publishing Rules.

For Web publishing, create an HTTP policy with the parameters shown in this table.

Tab Parameter

General

Maximum headers length is 32768.

Allow any payload length is selected.

Maximum URL length is 260.

Maximum query length is 4096.

Verify normalization is selected.

Block high bit characters is not selected.

Methods

Allow only specified methods:

GET

HEAD

POST

Extensions

Block specified extensions (allow all others):

.exe

.bat

.cmd

.com

.htw

.ida

.idq

.htr

.idc

.shtm

.shtml

.stm

.printer

.ini

.log

.pol

.dat

Headers

No changes from the default.

Signatures

(Request URL)

Block content containing these signatures

..

./

\

:

%

&

Tab

Parameter

You should create an HTTP policy based on your corporate policy and security needs. The policies provided here are baseline, example HTTP policies for Outlook Web Access, Outlook Mobile Access, Exchange ActiveSync, and RPC over HTTP.

General tab

Setting and rule Outlook Web Access Outlook Mobile Access Exchange ActiveSync RPC over HTTP

Maximum headers length

32768

32768

32768

32768

Maximum payload length

10485760

10485760

65536

Any

Maximum URL length

16384

319

1024

16384

Maximum query length

4096

13

512

4096

Verify normalization

Yes

Yes

Yes

Yes

Block high bit characters

No

Yes

Yes

Yes

Block responses containing Windows executable content

Yes (Note 1)

Yes

Yes

Yes

Methods tab

Setting and rule Outlook Web Access Outlook Mobile Access Exchange ActiveSync RPC over HTTP

Allow only specified methods

BCOPY

BDELETE

BMOVE

BPROPPATCH

DELETE

GET

MKCOL

MOVE

POLL

POST

PROPFIND

PROPPATCH

SEARCH

SUBSCRIBE

GET

HEAD

POST

OPTIONS

POST

RPC_IN_DATA

RPC_OUT_DATA

Extensions tab

Setting and rule Outlook Web Access Outlook Mobile Access Exchange ActiveSync RPC over HTTP

Action taken for file extensions

Block specified extensions (allow all others)

Allow only specified extensions

Allow only specified extensions

Allow only specified extensions

Extension list

.asax

.ascs

.bat

.cmd

.com

.config

.cs

.csproj

.dat

.dll (Note 2)

.exe (Note 1)

.htr

.htw

.ida

.idc

.idq

.ini

.licx

.log

.pdb

.pol

.printer

.resources

.resx

.shtm

.shtml

.stm

.vb

.vbproj

.vsdisco

.webinfo

.xsd

.xsx

. (dot)

.aspx

. (dot)

.dll

Block requests containing ambiguous extensions

No

Yes

Yes

Yes

Headers tab

Setting and rule Outlook Web Access Outlook Mobile Access Exchange ActiveSync RPC over HTTP

Blockedheaders

None

None

None

None

Signatures tab

Setting and rule Outlook Web Access Outlook Mobile Access Exchange ActiveSync RPC over HTTP

Blocked signatures:

Request URL

./

\

.. (Note 3)

% (Note 3)

& (Note 3)

./

\

..

%

&

:

./

\

..

%

:

./

\

..

%

&

Bb794796.note(en-us,TechNet.10).gifNote:
Blocking .exe file extensions and enabling Block responses containing Windows executable content for Outlook Web Access will block access to the S/MIME control. If the S/MIME control is required for Outlook Web Access on Exchange Server 2003, do not include .exe in the blocked extensions list or enable Block responses containing Windows executable content.
Bb794796.note(en-us,TechNet.10).gifNote:
Blocking .dll file extensions for Outlook Web Access will block access to the online spelling checker that is built into Outlook Web Access.
Bb794796.note(en-us,TechNet.10).gifNote:
Including the strings "..", "%", and "&" can prevent certain types of potential attacks but it will also reduce access to certain e-mail messages. An e-mail message subject line forms part of the URL to access the message and thus any e-mail message containing one of these characters will be blocked. A balance must be found between extra security and functionality. Do not include the ":" character in this list because this will block access to the majority of e-mail messages. Many message subject lines contains RE: and FW: if they are replies or forwards.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft