Recently we picked up a big project in the Platform team. We were all excited about it, and pretty soon we were all working hard at making it a success. One of the things that was a little bit broken was that were trying to come up with a good way to make files available to customers and team members who were not local. Sure, the team members could VPN in, but the customers couldn't. We looked at a couple of solutions like Microsoft Groove and publishing a Sharepoint site, but everything seemed to have a problem or issue that we really didn't like. What we ended up deciding on as a solution was using our existing TeamPlain Web Access for Team System. We had used that solution before to give access to another client to access the bug tracking list for a code project and everyone seemed to be happy with how it turned out.
Projects were created, permissions assigned, and then the fun started.
It seemed that people were able to log into the system and navigate with no problem, but they couldn't download any of the files. I looked into TFS and TeamPlain and I couldn't find anything that would prevent this issue. Looking at the error that was coming up on the client, I thought that it looked a lot like an error tossed out by ISA 2006.
Error Code: 500 Internal Server Error. The request was rejected by the HTTP Security filter. Contact your ISA Server administrator. (12217)
After some googleing, I found that this error is often seen in OWA implementations behind ISA 2006 and there is an option in the HTTP configuration on the publishing rule in ISA that you can set to prevent this error. I whipped open the ISA Server Management tool and started right-clicking. The only problem was that the "Configure HTTP" option that should have been there on that rule was missing. When I opened up the rule, on the "Traffic" tab, I should have been able to click the "Filtering" button and get to the same setting (which the fix is, for the impatient, turning OFF the "Verify normalization" and "Block high bit characters"). This was something of a big problem since without that switch, I wouldn't be able to share these files in the way that we had decided.
Sidenote:
The problem with the file download, at it's root, seems to be that the title of the file has some extra characters in it. What is supposed to be a %20 in the URL gets converted to %2520 and ISA chokes on this and says, "Not YOURS, no file for YOU." As you can guess, this is a pretty big problem when trying to use the system to deliver documents and foster collaboration.
Back to ISA 2006. It didn't work. Now, I had been unhappy with our ISA server for quite a while. It never got patched right, and all sorts of odd things have happened with it. I couldn't troubleshoot it, since it was a production system, so I did the second best thing, I built a new one. I lovingly patched it, and coddled it and configured it the best I was able. The neat thing was that I created a bunch of test rules, and they DID have the options that I needed to configure. The final step was to import the rules from the old ISA server. Oddly, when I imported them, the RULE WAS BROKEN on the NEW server. After much swearing, I wiped ISA from the box and started over. This time, at the suggestion of our Head of IT, I took an exported set of the rules from the old (BAD) server and imported them into the (NEW) server AFTER making a backup of the rules that worked. This time, when I imported the rules from the old server, everything WORKED.
I've been working with Microsoft products for a number of years, and this kind of behavior is quite common. I remember installing Windows 2000 Professional on the same hardware a couple of different times and getting different configurations each time. I wasn't surprised, but I was just glad that it worked. After some more configuration, I thought that I had everything the same as the existing firewall, and after some convincing of the Head of IT, at 6:00PM we switched over to the new system. The only problem that I was able to find was this morning, VPN was broken and one of the sites (http://getsharp.3sharp.com) was unreachable.
Now, I don't have VPN totally ironed out (I just switched us back to PPTP which is FINE when you are using strong passwords, which we are), but it looks like everything is doing well. Just because I am so happy about these, I will now list the things that used to be broken that now work:
- Pandora Internet radio.
- Performance Monitor on the ISA machine
- Updates and patches on the ISA machine
- File transfers using the TeamPlain web access
So, next on my list of things to do is building a new Edge server for our OCS deployment. We have been having some issues with this and it's due to us running out of IP addresses. I just got 13 more, and I'm totally pumped about the stuff we'll be able to publish with them!