If I goto a machine with a dialup connection and try to access the internal web server by typing the ISA server external IP address, I get same problem

HTH,

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

quote:

---

Originally posted by tshinder:
If you are trying to access a web site while using the Browser *on the ISA Server*, you need to create a static packet filter that allows outbound port 80 to all computer, or configure the Browser as a Web Proxy client, configuring it with the IP address of the *internal* interface of the ISA Server.

HTH,

Tom

---

In my case, on a client CP (W2KPro) with Firewall Client installed, if I uncheck "use a proxy server" any HTTP request returns the stated "12202" error message.

Turning on "use a proxy" pointed to the ISA server works, but there are some cases where I need it to be a straight-connection and not the proxy.

BTW, in this same circumstance, other protocols (FTP, etc.) are working fine via the firewall client.

Using Network Monitor (does MS plan to offer an update of NetMon that recognizes RWSP packets instead of calling them "unknown"?), I can see the RWSP packets going to the ISA server, and it replies with the Forbidden message.

Thanks,
Bobby

------------------
Thx a mill
-George

If this is the case, check out how the HTTP Redirector filter is configured. Make sure that it is enabled and that it is sending requests to the Web Proxy Service.

Another thing to check out is the configuration of the Outbound Web Requests Listener. Make sure that authentication is forced for Web Proxy requests.

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

For the outbound listener, I have both Basic and Integrated authentication checked.

------------------
Thx a mill
-George

The HTTP Redirector filter is set to its default (HTTP request sent to Web Proxy Service).

Outgoing Web Requests is currently configured for "use the same listener configuration for all internal IP addresses", with TCP port 8080.

------------------
Thx a mill
-George

I just thought of another reason why when using the Web Proxy client it works, but when using the SNAT client it doesn't work.

Web Proxy clients have the ISA Serve resolve the address for them. But SNAT clients need to be configured with a DNS Server that can resolve internet names.

So, check out the DNS configuration and see if that helps.

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

It still does not ever ask for an auth for the web proxy, although I see in the Firewall log the request was accepted.

BTW, the DNS servers for these clients are the same as for our production MS Proxy 2.0 boxes we're working on upgrading, so I know they're getting good DNS.

Thanks,
Bobby

Basically, if you are asking everyone to authenticate, AND you are redirecting the requests from the firewall service to the web service, ISA sends that request as anonymous, and you get the error you describe.

To fix this I changed the redirector to send the request directly to the web site (you lose caching for firewall clients with this unfortunately).

hope that helps

Thanks for the reply. I guess I'm doomed to not cache Firewall Client HTTP requests...

I have solved the HTTP Redirector (Transparent Proxying) problems I was having myself. With some help of Tom and the replies above.

My configuration is now:

- The HTTP Redirector is setup to redirect al requests to local web proxy service (this is under Extensions -> Application Filters)

- Make a new Protocol Rule. Action=allow, Protocol=http, Schedule=always, Appliesto=My Local Intranet (or set it to 'Any Request'). (This is under Access Policy -> Protocol Rules)

- Make sure the standard 'Site and Content' Rule is in place : General:Enable, Destination:All destinations, Schedule:Always, Action:Allowed, Appliesto:Any Request, HTTP Content:All Content Groups. (This is under Access Policy -> Site and Content Rules)

and last but not least!:

- On the tab 'Outgoing Web Requests' do -not- use 'Ask unauthenticated users for identification'. Why not? When you use the HTTP Redirector you will loose all the authentication send by the client, this is stripped of the request. So the request is anonymous and can't identify itself and then you get the 12202 url denied error. (This is under Servers and Arrays -> <machine-name> -> right mouse click -> properties)

This works fine for me. Hope it helps for you.

Arthur.

You got it! You must not force authentication on the Outgoing Web Requests listener if you are using just SecureNAT and Firewall clients, because those clients cannot send authentication information to the web proxy service.

HTH,
Tom

------------------
http://www.isaserver.org/shinder/



Get It Here!