M100691: How to: Configure URLScan for ManageSoft

This article explains how to configure URLScan for IIS so that ManageSoft can download and upload requests through HTTP.

URLScan is a Microsoft Security tool which restricts the type of HTTP requests that IIS will process. URLScan is used primarily to help prevent harmful and dangerous requests from reaching a server and is available as part of the IISLockdown.exe. URLScan consists of 2 basic files - URLScan.dll and URLScan.ini and is installed into directory%windir%\system32\inetsrv\urlscan.

How can you tell if URLScan is in use?

On viewing the IIS logs on your web server you may see a message like this:

2005-06-141 00:56:54 10.1.1.208 - W3SVC1 COBALT 10.1.1.156 80 GET /<Rejected-By-UrlScan>~/ManageSoftDL/Policies/Merged/test.mgsft.com_domain/Machine/ZINC.npl 404 123 HTTP/1.0 cobalt.test.mgsft.com ManageSoft/6.9+(Windows+NT4/2000/XP)

When URLScan is in use the IIS log files will always have a message <Rejected-By-UrlScan> if there is any HTTP request which violates the URLScan configuration.

URLScan.ini

URLScan.ini can be modified to suit a particular environment. The file contains the following sections:

  • [Options] - This section describes general URLScan options
  • [RequestLimits] - Imposes limits on the length of allowed parts of requests reaching the server
  • [AllowVerbs] and [DenyVerbs] - These sections define the verbs (also known as HTTP methods) that URLScan permits
  • [DenyHeaders] - This section lists HTTP headers that are not permitted in an HTTP request. If a HTTP request contains one of the HTTP headers that are listed in this section, URLScan rejects the request.
  • [AllowExtensions] and [DenyExtensions] - These sections define the file name extensions that URLScan permits or denies
  • [DenyURLSequences] - This section lists strings that are not permitted in an HTTP request. URLScan rejects HTTP requests that contain a string that appears in this section.
 

To configure URLScan.ini to work with ManageSoft, use the urlscan.ini file attached to this knowledge base article.

  1. Download urlscan.ini file and copy it to %windir%\system32\inetsrv\urlscan (default location for URLScan).
    It is important that this file is located in the same directory as the urlscan.dll file. If urlscan.dll is not present, then please locate this DLL and replace the urlscan.ini file in the directory where you found urlscan.dll.
  2. Go to the services snap-in, stop and then start the IIS Admin Service.

Validation

The managed device or distribution server should be able to upload and download relevant ManageSoft data.

Further Troubleshooting

If you are still having problems getting URLScan and ManageSoft to work in your environment, please send the following to support for review:

  1. A copy of your IIS log, showing the URLScan rejection. As part of your IIS logging ensure that the following minimum Advanced properties are being tracked:
    • Protocol status
    • Protocol substatus
    • Win32 Status.
  2. A copy of the URLScan.ini file from %windir%\system32\inetsrv\urlscan.

Other references

The following articles are available on the Microsoft web site:
  1. Using URLScan on IIS
  2. How to configure the URLScan Tool
 

Comments

Powered by Zendesk