"Richard" <Richard@discussions.microsoft.com> wrote in message
news:77FC5B55-D847-4EEA-BC3B-10833421206E@microsoft.com...
> Mike,
>
> I appreciate you narrowing down to exactly what I need.
> I didnt' quite understand though what Microsoft is quite specific on, when
> it comes to + (do you have any article)?
>
> Also I need the webpage or MS article number where you took "NOTE"
> excerpts
> from, to show my managers to get approval to put "VerifyNormalization" as
> 0
>
> Thank again for your help!
>
> "Miha Pihler" wrote:
>
>> Microsoft is quite specific when it comes to + sign:
>>
>> **************************************
>> ; NOTE: Customers with Exchange 2003 running on Windows Server 2003 with
>> URLScan installed may need to modify the "VerifyNormalization=1"
>> ; option in this template to be "VerifyNormalization=0" if they encounter
>> a
>> "404" error when attempting to open messages or items that contain
>> ; the "+" symbol in the subject or name.
>> **************************************
>>
>> Mike
>>
>> "Richard" <Richard@discussions.microsoft.com> wrote in message
>> news:8AEA87B4-AF44-4544-9861-D21808B7015A@microsoft.com...
>> > Thanks Mike.
>> >
>> > I have looked at all forums and MS articles articles before I posted
>> > this
>> > msg about 'if its safe to turn off normalization in SSL environments'.
>> >
>> > There is no way I can turn off "+" in 'denyurlsequences' without
>> > Turning
>> > off
>> > normalizebeforeurlscan. its because urlscan looks at 'denyurlsequences'
>> > AFTER
>> > it normalizes. So i want some input to see if I can turn off
>> > normalization
>> > particularly in SSL environments where its comparatively safer and no
>> > attacker logins without SSL authentication.
>> >
>> > The article you mentioned has only 'allowverbs' section of urlscan.ini
>> > for
>> > exchange owa.
>> >
>> > I tried all the templates that has 'denyurlsequences' looks like:
>> > [DenyUrlSequences]
>> > .. ; Do not permit directory traversals.
>> > ./ ; Do not permit trailing dot on a directory name.
>> > \ ; Do not permit backslashes in URL.
>> > % ; Do not permit escaping after normalization.
>> > & ; Do not permit multiple Common Gateway Interface processes to run
>> > on
>> > a
>> > single request.
>> >
>> > BUT believe this doesNOT help me ALLOW "+" characters so long
>> > normalization
>> > turned off.
>> >
>> > It seems there is no solution to unblock + character. :-(
>> >
>> > "Miha Pihler" wrote:
>> >
>> >> Hi Richard,
>> >>
>> >> Microsoft has few articles on applying URLScan to Exchange server that
>> >> should help you out.
>> >>
>> >> Fine-tuning and known issues when you use the Urlscan utility in an
>> >> Exchange
>> >> 2003 environment
>> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823175 (this
>> >> article
>> >> includes sample of URLScan.ini file that works with OWA)
>> >>
>> >> The URLScan tool may cause problems in Outlook Web Access
>> >> http://support.microsoft.com/kb/325965
>> >>
>> >> I hope this helps,
>> >>
>> >> Mike
>> >>
>> >> "Richard" <Richard@discussions.microsoft.com> wrote in message
>> >> news:606EA1D8-69D7-4414-B2BF-145F38F6FF8B@microsoft.com...
>> >> > Our OWA front end servers that are in DMZ have Verisign certificates
>> >> > and
>> >> > users login using only SSL authentication.
>> >> >
>> >> > In this situation can we safely have normalizeUrlBeforeScan=0 since
>> >> > no
>> >> > other
>> >> > attacker could login to OWA server to view the URL of our
>> >> > domain/directories.
>> >> > Ofcourse one within organization can be an attacker, but with IP
>> >> > address
>> >> > we
>> >> > can catch him.
>> >> >
>> >> > I'm new to this URLscan concept and all I need is unblock + so users
>> >> > can
>> >> > read emails with + in subject field.
>> >> >
>> >> > I've been trying to resolve this for couple of days and so far I yet
>> >> > to
>> >> > receive some help.
>> >> >
>> >> > Thanks for your input in advance.
>> >>
>> >>
>> >>
>>
>>
>>

"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:elWXDwx2EHA.2608@TK2MSFTNGP10.phx.gbl...
> http://support.microsoft.com/default.aspx?scid=kb;en-us;823175
>
> Mike
>
> "Richard" <Richard@discussions.microsoft.com> wrote in message
> news:77FC5B55-D847-4EEA-BC3B-10833421206E@microsoft.com...
> > Mike,
> >
> > I appreciate you narrowing down to exactly what I need.
> > I didnt' quite understand though what Microsoft is quite specific on,
when
> > it comes to + (do you have any article)?
> >
> > Also I need the webpage or MS article number where you took "NOTE"
> > excerpts
> > from, to show my managers to get approval to put "VerifyNormalization"
as
> > 0
> >
> > Thank again for your help!
> >
> > "Miha Pihler" wrote:
> >
> >> Microsoft is quite specific when it comes to + sign:
> >>
> >> **************************************
> >> ; NOTE: Customers with Exchange 2003 running on Windows Server 2003
with
> >> URLScan installed may need to modify the "VerifyNormalization=1"
> >> ; option in this template to be "VerifyNormalization=0" if they
encounter
> >> a
> >> "404" error when attempting to open messages or items that contain
> >> ; the "+" symbol in the subject or name.
> >> **************************************
> >>
> >> Mike
> >>
> >> "Richard" <Richard@discussions.microsoft.com> wrote in message
> >> news:8AEA87B4-AF44-4544-9861-D21808B7015A@microsoft.com...
> >> > Thanks Mike.
> >> >
> >> > I have looked at all forums and MS articles articles before I posted
> >> > this
> >> > msg about 'if its safe to turn off normalization in SSL
environments'.
> >> >
> >> > There is no way I can turn off "+" in 'denyurlsequences' without
> >> > Turning
> >> > off
> >> > normalizebeforeurlscan. its because urlscan looks at
'denyurlsequences'
> >> > AFTER
> >> > it normalizes. So i want some input to see if I can turn off
> >> > normalization
> >> > particularly in SSL environments where its comparatively safer and no
> >> > attacker logins without SSL authentication.
> >> >
> >> > The article you mentioned has only 'allowverbs' section of
urlscan.ini
> >> > for
> >> > exchange owa.
> >> >
> >> > I tried all the templates that has 'denyurlsequences' looks like:
> >> > [DenyUrlSequences]
> >> > .. ; Do not permit directory traversals.
> >> > ./ ; Do not permit trailing dot on a directory name.
> >> > \ ; Do not permit backslashes in URL.
> >> > % ; Do not permit escaping after normalization.
> >> > & ; Do not permit multiple Common Gateway Interface processes to
run
> >> > on
> >> > a
> >> > single request.
> >> >
> >> > BUT believe this doesNOT help me ALLOW "+" characters so long
> >> > normalization
> >> > turned off.
> >> >
> >> > It seems there is no solution to unblock + character. :-(
> >> >
> >> > "Miha Pihler" wrote:
> >> >
> >> >> Hi Richard,
> >> >>
> >> >> Microsoft has few articles on applying URLScan to Exchange server
that
> >> >> should help you out.
> >> >>
> >> >> Fine-tuning and known issues when you use the Urlscan utility in an
> >> >> Exchange
> >> >> 2003 environment
> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;823175 (this
> >> >> article
> >> >> includes sample of URLScan.ini file that works with OWA)
> >> >>
> >> >> The URLScan tool may cause problems in Outlook Web Access
> >> >> http://support.microsoft.com/kb/325965
> >> >>
> >> >> I hope this helps,
> >> >>
> >> >> Mike
> >> >>
> >> >> "Richard" <Richard@discussions.microsoft.com> wrote in message
> >> >> news:606EA1D8-69D7-4414-B2BF-145F38F6FF8B@microsoft.com...
> >> >> > Our OWA front end servers that are in DMZ have Verisign
certificates
> >> >> > and
> >> >> > users login using only SSL authentication.
> >> >> >
> >> >> > In this situation can we safely have normalizeUrlBeforeScan=0
since
> >> >> > no
> >> >> > other
> >> >> > attacker could login to OWA server to view the URL of our
> >> >> > domain/directories.
> >> >> > Ofcourse one within organization can be an attacker, but with IP
> >> >> > address
> >> >> > we
> >> >> > can catch him.
> >> >> >
> >> >> > I'm new to this URLscan concept and all I need is unblock + so
users
> >> >> > can
> >> >> > read emails with + in subject field.
> >> >> >
> >> >> > I've been trying to resolve this for couple of days and so far I
yet
> >> >> > to
> >> >> > receive some help.
> >> >> >
> >> >> > Thanks for your input in advance.
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>