Typical HTTP Policies for Web and Outlook Web Access Publishing Rules
If you do not want to create your own HTTP policy, start with these baseline HTTP policies for Web and Exchange Web client access publishing, and modify them to match your corporate policy.
If you do not want to configure these policies through the ISA Server user interface (UI), the Extensible Markup Language (XML) document and instructions for importing each of the policies are provided in Appendix A: Importing Typical HTTP Policies for Web and Outlook Web Access Publishing Rules.
Baseline Web Publishing HTTP Policy
For Web publishing, create an HTTP policy with the parameters shown in this table.
| Tab | Parameter |
|---|---|
General |
Maximum headers length is 32768. Allow any payload length is selected. Maximum URL length is 260. Maximum query length is 4096. Verify normalization is selected. Block high bit characters is not selected. |
Methods |
Allow only specified methods: GET HEAD POST |
Extensions |
Block specified extensions (allow all others): .exe .bat .cmd .com .htw .ida .idq .htr .idc .shtm .shtml .stm .printer .ini .log .pol .dat |
Headers |
No changes from the default. |
Signatures (Request URL) |
Block content containing these signatures .. ./ \ : % & |
Tab |
Parameter |
Baseline Exchange Web Client Access Publishing HTTP Policy
You should create an HTTP policy based on your corporate policy and security needs. The policies provided here are baseline, example HTTP policies for Outlook Web Access, Outlook Mobile Access, Exchange ActiveSync, and RPC over HTTP.
General tab
| Setting and rule | Outlook Web Access | Outlook Mobile Access | Exchange ActiveSync | RPC over HTTP |
|---|---|---|---|---|
Maximum headers length |
32768 |
32768 |
32768 |
32768 |
Maximum payload length |
10485760 |
10485760 |
65536 |
Any |
Maximum URL length |
16384 |
319 |
1024 |
16384 |
Maximum query length |
4096 |
13 |
512 |
4096 |
Verify normalization |
Yes |
Yes |
Yes |
Yes |
Block high bit characters |
No |
Yes |
Yes |
Yes |
Block responses containing Windows executable content |
Yes (Note 1) |
Yes |
Yes |
Yes |
Methods tab
| Setting and rule | Outlook Web Access | Outlook Mobile Access | Exchange ActiveSync | RPC over HTTP |
|---|---|---|---|---|
Allow only specified methods |
BCOPY BDELETE BMOVE BPROPPATCH DELETE GET MKCOL MOVE POLL POST PROPFIND PROPPATCH SEARCH SUBSCRIBE |
GET HEAD POST |
OPTIONS POST |
RPC_IN_DATA RPC_OUT_DATA |
Extensions tab
| Setting and rule | Outlook Web Access | Outlook Mobile Access | Exchange ActiveSync | RPC over HTTP |
|---|---|---|---|---|
Action taken for file extensions |
Block specified extensions (allow all others) |
Allow only specified extensions |
Allow only specified extensions |
Allow only specified extensions |
Extension list |
.asax .ascs .bat .cmd .com .config .cs .csproj .dat .dll (Note 2) .exe (Note 1) .htr .htw .ida .idc .idq .ini .licx .log .pdb .pol .printer .resources .resx .shtm .shtml .stm .vb .vbproj .vsdisco .webinfo .xsd .xsx |
. (dot) .aspx |
. (dot) |
.dll |
Block requests containing ambiguous extensions |
No |
Yes |
Yes |
Yes |
Headers tab
| Setting and rule | Outlook Web Access | Outlook Mobile Access | Exchange ActiveSync | RPC over HTTP |
|---|---|---|---|---|
Blockedheaders |
None |
None |
None |
None |
Signatures tab
| Setting and rule | Outlook Web Access | Outlook Mobile Access | Exchange ActiveSync | RPC over HTTP |
|---|---|---|---|---|
Blocked signatures: Request URL |
./ \ .. (Note 3) % (Note 3) & (Note 3) |
./ \ .. % & : |
./ \ .. % : |
./ \ .. % & |
Note
Blocking .exe file extensions and enabling Block responses containing Windows executable content for Outlook Web Access will block access to the S/MIME control. If the S/MIME control is required for Outlook Web Access on Exchange Server 2003, do not include .exe in the blocked extensions list or enable Block responses containing Windows executable content.
Note
Blocking .dll file extensions for Outlook Web Access will block access to the online spelling checker that is built into Outlook Web Access.
Note
Including the strings "..", "%", and "&" can prevent certain types of potential attacks but it will also reduce access to certain e-mail messages. An e-mail message subject line forms part of the URL to access the message and thus any e-mail message containing one of these characters will be blocked. A balance must be found between extra security and functionality. Do not include the ":" character in this list because this will block access to the majority of e-mail messages. Many message subject lines contains RE: and FW: if they are replies or forwards.