Security update MS05-034 might break outbound Web access on ISA Server 2000
By Stefaan Pouseele
Last Update: 21/07/2005
After applying Microsoft Internet Security and Acceleration (ISA) Server 2000 Cumulative Security Update (version 1200.430 published on 14/6/2005), internal users might be unable to get outbound Web access. Instead they receive the following error message from the ISA server:
HTTP 502 Proxy Error - The ISA Server requires a secure channel connection to fulfill the request. ISA Server is configured to respond to outgoing secure (that is, Secure Sockets Layer (SSL)) channel requests. (12211) Internet Security and Acceleration Server.
The problem seems to be caused by the fix described in the KB article Basic Credentials May be Sent over an External HTTP Connection When SSL is Required. Although this fix should only change the default behavior on the Inbound Web Request listener, apparently it also changes the default behavior on the Outgoing Web Request listener.
Therefore, if you need Basic Authentication on the Outgoing Web Request listener, add the following registry key to roll back that "fix":
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3Proxy\Parameters\AllowAskBasicAuthOverNonSecureConnection : DWORD : 1
Microsoft is currently trying to gather numbers to understand the impact of this issue. So if you have customers with this complain, please call Microsoft PSS.
Update July 21, 2005
To correct the above problem, a hotfix is now available. Also, a new KB article 903236 describing the problem and solution should be live within a few days.