none
MOSS 2007 publishing - request failed because of HEAD method RRS feed

  • Question

  • I'm working on a Sharepoint 2007 based portal, published through UAG 2010 (Update 2)

    A little time ago, a small part of users have met difficulties to access to the portal (after connecting, the next page never displays...)

    The only abnormal thing that we found in Web Monitor logs was this : A request from source IP address x.x.x.x on trunk entabc; Secure=1 for application NetApp of type SharePoint2007AAM failed because the  method used HEAD is not valid for requested URL /.


    To resolve this, we have planned to enable HEAD method for the rule that corresponds to this URL "/" (this is the "Sharepoint2007AAM_Rule47" rule)

    But doing this ask some questions about consequences of this on security : by principle, enabling ah HTTP word which is disabled in default Sharepoint 2007 UAG rules might be dangerous for platform security, because if Sharepoint doesn't support this HTTP method, it could have unwaited behavior when receiving this kind of request.

    So my question is :

    • is it the best corrective solution ?
    • can we safely enable HEAD method for this UAG rule, without increasing platform vulnerabilities ?
    • Could this kind of have an impact on portal security ?

     

    Monday, March 7, 2011 4:03 PM

Answers

  • I can't really answer that with any real confidence, so I wont :)

    However thinking laterally, when SharePoint is published via TMG there are (by default) no controls on HTTP verb usage...so even by adding HEAD to the UAG ruleset, you are still in a better place than people securing SharePoint with TMG, which is also a recommended solution for protecting SharePoint...

    The fact that the UAG ruleset doesn't include it makes me think it is not an expected HTTP verb when using SharePoint, so maybe something is going wrong within SharePoint or the client?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by rgt54 Tuesday, March 8, 2011 1:37 PM
    Tuesday, March 8, 2011 1:27 PM
    Moderator

All replies

  • Sounds like you have conflicting applications - does the "NetApp" application use the same destination server as SharePoint? What order are NetApp and SharePoint applications listed in the UAG application list?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, March 7, 2011 5:20 PM
    Moderator
  • Thanks for your answer.

    It wasn't clear in my explanation, but in fact, "NetApp" is the name of the customized MOSS 2007 portal, and not the name of another published application.

    Tuesday, March 8, 2011 8:56 AM
  • Ah ok, sorry.

    Before doing too much investigation, it may be worth upgrading to UAG SP1...

    I don't see why you need to add the HEAD verb to the rules - is this a customised SharePoint deployment?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, March 8, 2011 10:29 AM
    Moderator
  • In fact, we've had some users that randomly have access problems to the portal, with pages that never displays.

    And each time, the only errror that I've found in Web Monitor log when this problem occurs was this alert : A request from source IP address x.x.x.x on trunk entabc; Secure=1 for application NetApp of type SharePoint2007AAM failed because the  method used HEAD is not valid for requested URL /.


    That's why we considered activating this HTTP verb on this URL to avoid this problem from occuring again.

    But the question that I'd like to be answered before doing this in a production context, is the possible impact in terms of safety (risk of potential attacks if the HEAD vers isn't supported by Sharepoint, for example)

     

    Edit : our application is a standard Sharepoint application, with customized design and some supplementary specialized modules.

    Tuesday, March 8, 2011 12:44 PM
  • I can't really answer that with any real confidence, so I wont :)

    However thinking laterally, when SharePoint is published via TMG there are (by default) no controls on HTTP verb usage...so even by adding HEAD to the UAG ruleset, you are still in a better place than people securing SharePoint with TMG, which is also a recommended solution for protecting SharePoint...

    The fact that the UAG ruleset doesn't include it makes me think it is not an expected HTTP verb when using SharePoint, so maybe something is going wrong within SharePoint or the client?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by rgt54 Tuesday, March 8, 2011 1:37 PM
    Tuesday, March 8, 2011 1:27 PM
    Moderator
  • Hi,

    I am having a similar issue.

    I use SharePoint 2010, published through UAG, this has been working fine for some time, but recently i upgraded UAG to SP1.

    Now my Windows Phone 7 wont connect to sites from the sharepoint mobile workspace in the office hub. i get an error saying "cant open", "we can only open sharepoint sites, you can try opening the content in your browser instead". the content opens fine in the browser.

    on investigating the problem, i found this in the UAG server event logs:

    A request from source IP address **.**.**.**, user  on trunk sharepoint; Secure=1 for application InternalSharePoint of type SharePoint14AAM failed because the  method used HEAD is not valid for requested URL /.

    Any suggestions on how to fix this?

    Thanks

    Craig.

    Monday, March 19, 2012 6:18 PM