Advertisement
Monday, September 06, 2010
HOME
ABOUT US
OUR SERVICES
OUR CLIENTS
CONSULTING
BOOKS
DEVELOPMENT TOOLS
CONTACT US

.net Tips and Tricks

New .net Books!
 
LATEST NEWS
04.11.2005
BlueVision becomes a Microsoft Certified Partner!
03.30.2005
03.01.2005
Two development books get an update for Visual Studio .NET 2003
01.05.2005
BlueVision launches the Community Technology Preview release of CopAlert™, www.copalert.com
12.20.2002
BlueVision in MSDN Magazine
Tips and Tricks

ASP.NET Custom Errors Do Not Work Correctly with ISA Web Publishing

Background

Good exception handling has always been a difficult to achieve and maintain in software development, and unhandled exceptions might not always be secure. In Microsoft .NET Framework-based applications, the common language runtime (CLR) catches any thrown exceptions that are not manually caught by your application's code. ASP.NET, which is built on top of the .NET Framework, takes advantage of this behavior to display any uhandled exceptions to the end user

 

ASP.NET Custom Errors

ASP.NET introduces Custom Errors, a technique that allows you to determine whether unhandled exceptions should be displayed in the browser for users, or whether users should be redirected to or presented with a page that contains a more secure, user-friendly error message. Custom Errors can be configured in the <customErrors> section of the Web.config file. The <customErrors> element has a single required attribute, named mode, that identifies how unhandled exceptions should be presented to the user. This attribute can be set to one of the following three values:

  • On
    This value indicates that users should be presented with customized error messages when unhandled exceptions are thrown.
  • Off
    This value indicates that the detailed message of the unhandled exception should be displayed to the user.
  • RemoteOnly
    This value is equivalent to On when an ASP.NET application is accessed remotely and Off when an ASP.NET application is accessed locally.

Internet Security and Acceleration (ISA) Server

ISA Server is a platform that provides firewall and Web proxy services for an enterprise. Web publishing rules can be configured to determine how requests to ASP.NET Web application should be handled. For example,  you can configure a Web publishing rule to redirect all requests to a specific URL to a dedicated Web server. ISA Server changes the client's Internet Protocol (IP) address to the IP address of the ISA Server computer. Thus, you can configure the Web server to accept only requests from the ISA Server computer.

 

The Problem

The problem with Custom Errors exists when Web publishing rules are configured to redirect requests to a URL to the same server (ISA Server computer is also the Web server). The IP address associated with the client request is the same as the Web server's IP address. Therefore, having the mode attribute of the <customErrors> element set to RemoteOnly has no effect. ASP.NET thinks that the request is coming from the local computer, which is technically the case. This might create a compromise of security through information since unhandled error messages can reveal too much information. The best solution is to set the mode attribute of the <customErrors> element to On when the ISA Server computer is also the Web server.

 

Conclusion

Custom Errors in ASP.NET increases security by helping to eliminate the possibility of information leaking when an unhandled exception's error message reveals too much information. You should use this feature judiciously and be extra cautious in a single-server scenario.


Back to Tips and Tricks

Terms Of Use © 2000 - 2010 BLUEVISION LLC. ALL RIGHTS RESERVED. Privacy Policy