Internet Explorer doesn't display ISA or TMG error message 502 when connecting to HTTPS servers

  • Article

Hi there,

I would like to talk about an issue that I have dealt with recently regarding Internet Explorer and displaying TMG error messages.

The problem reported was that newer IE versions (like 8 or 9) didn’t display the regular TMG error message which is displayed when the access rule allows certain users and the current user is not one of the allowed users (Error Code: 502 Proxy Error. The Forefront TMG denied the specified Uniform Resource Locator (URL). (12202) ),instead the "Page not found" error was displayed and that was causing some help desk calls since the user thought that the target web site was not reachable based on the displayed error message whereas the real problem was user was not allowed to access the given web site.

IE6 didn’t have the same problem. Then we started investigating the problem from TMG perspective to make sure that it wasn’t something stemming from TMG server side. After some further troubleshooting (network traces), we found out that TMG was sending the regular error page back to the client but somehow it wasn’t displayed by the IE client.

Then we focused on the IE side. After some further investigation, I found out that it was the expected default behavior for newer Internet Explorer versions (8 and 9, we haven’t tested 7 but this might apply to 7 as well) for security reasons. You can find below more information about the vulnerability that could be exploited when IE uses Proxy servers to connect to target servers:

Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments

Having said that, there’s a registry key which allows you to turn this enhanced security feature off in newer IE versions. You can see the details below on how to do this on the client machines:

https://msdn.microsoft.com/en-us/library/ms537184(VS.85).aspx Introduction to Feature Controls

- You’ll need to create the highlighted key at the given path on a client machine:

HKEY_LOCAL_MACHINE (or HKEY_CURRENT_USER)
     SOFTWARE
          Microsoft
               Internet Explorer
                    Main
                         FeatureControl
                                      FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615 (Note: you’ll also need to create that registry key under “FeatureControl”)

                                               Reg key name: Iexplore.exe

                                               Type: REG_DWORD

                                               Value: 0x00000001

 

 

You can also get some more information at https://msdn.microsoft.com/en-us/library/dd565641(VS.85).aspx#eventLog Event 1065 - Web Proxy Error Handling Changes

 

I would like to re-emphasize that it normally shouldn’t be turned off from security perspective, so please implement it at your own risk.

 

Hope this helps

Thanks,

Murat