ISA or TMG May See Certain URLs for a Published Webserver as a Cross Site Scripting (XSS) Attack

I wanted to call attention to a trend I have seen lately in some of the cases I have worked.

Symptom

External clients accessing a web server published through Internet Security and Acceleration (ISA) Server or Forefront Threat Management Gateway (TMG) may experience a 500 error under certain conditions.

The client browser will likely display an error with text similar to this:

HTTP/1.1 500 ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.) 12202

Conditions

1.) The web listener on ISA/TMG is using Forms Based Authentication (FBA).
2.) Live logging in ISA/TMG shows a Status: 12302 "The server denied the specified Uniform Resource Locator (URL)".
3.) The URL that the client is trying to access contains %0a or %0d. You can usually also see this in the live logging entry or you could use a tool such as HTTP Watch.

Workarounds

1.) Use something other than Forms based authentication on the listener.
2.) Contact the application vendor and let them know the URLs they are generating are being perceived as a Cross Site Scripting (XSS) attack by ISA/TMG. Many application vendors have fixed this in their product and will supply a hotfix.