INFO: Modify Outgoing Data in a Web Filter for the ISA (297688)

MORE INFORMATION

The technique that is described in the "Summary" section is demonstrated in the WebResponseModifier sample Web filter that was included with the ISA software development kit (SDK).

NOTE: You cannot modify outgoing data for the Secure Sockets Layer (SSL) connection when the client sends a request for an HTTPS URL because any modification of encrypted data by the filter renders SSL encrypted data unusable.

Because of this fact, you must make sure that the filter is not handling HTTPS requests. To do this, two conditions must be met.

• Do not use SF_NOTIFY_SECURE_PORT flag in dwFlags of the HTTP_FILTER_VERSION structure. This prevents the filter from being invoked for SSL requests when ISA is using SSL Bridging.
• When ISA is using SSL Tunneling, HTTPS requests sent by the browser are handled like ordinary HTTP requests by the ISA. This causes the filter to be invoked, even if the earlier condition is met.
  
  To handle such a case, the filter must determine if the verb of the request is CONNECT. A CONNECT request indicates that the client sends an SSL request. You can use the following code to determine this:

CHAR szChar [256];
DWORD dwError, dwSize = sizeof (szChar);
if ( !pfc->GetServerVariable (pfc, "REQUEST_METHOD", szChar, &dwSize))
{
   dwError = GetLastError();
   wsprintf (szChar, "GetServerVariable failed: %d\n", dwError);
   OutputDebugString (szChar);
   SetLastError(dwError);
   return SF_STATUS_REQ_ERROR;
}

if (!strcmp (szChar, "CONNECT") )
{
   // We are handling the SSL request.
   // Add code here to disable all the notifications
   // for this request and to stop any more processing.
}