Welcome to ISAserver.org

403 Forbidden ... on ISA Server 2000

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Web Publishing >> 403 Forbidden ... on ISA Server 2000

Page: [1]

Message

<< Older Topic Newer Topic >>

403 Forbidden ... on ISA Server 2000 - 1.Feb.2008 3:00:27 PM

ss1001

Posts: 3
Joined: 1.Feb.2008
Status: offline

Hi,

I have been having a problem with Web publishingg rules and I have gone through everything I can think off.

I have ISA server 2000 on a Windows 2000 Advance server with SP4. I have only one website all these years and everything worked well, until now ... I needed to added another website.

Both websites are on seperate servers w/ 2003 server + latest SPs and IIS.
I have a SPLIT DNS setup.
My ISA Server is a stand alone server w/ 2 NICs one NORTH and the other SOUTH.

NOTE : through nslookup I can resolve to the 2 internal server IPs, BUT when in Destination Set wizard I cannot see the other computers when I choose browse. This is normal a sI have not made this ISA server a domain and have also not created any Trust relations witht he AD Domain server.

Initial Config.
Webpublishing Rules > "ALL DESITINATION" was set. for www.mywebsite.com.

Current Config.
- I setup 2 new destination sets. 1st for the original website www.mywebsite.com. 2nd for the new website support.mywebsite.com.

- I then setup a New webpublishing rule for the new website and selected "Specific Destination" and put /support/* for the folder option.

- I updated my Public DNS records to reflect the new support.mywebsite.com.

Tested the URL via the browser from and Home in the evening and got the "403 forbidden..." error.

Next day I checked from a workstation on the LAN and I could access the both site using the URL. I then Remote desktop to my home workstation and tried the URLs again and got the "403 Forbidden error"

I have gone through various troubleshooting including : -
Setting the IP address (internal) for both the internal servers that house the 2 websites in Destination sets for both the rules respectively.

As mentioned above I can browse to the 2 websites from the internal LAN but just NOT from the internet in without getting "403 FOrbidden..."

Also if I change the Webpubling rule for the original www.mywebsite.com to "ALL DESTINATIONS" I can get to the original website from the internet, and if I input support.mywebsite.com I go tto the same original website...which again makes sense since I indicated "ALL DESTINATIONS"

I would appreciate any feedback.

Thanks

Post #: 1

Featured Links*

RE: 403 Forbidden ... on ISA Server 2000 - 1.Feb.2008 5:27:56 PM

Rotorblade

Posts: 1002
Joined: 27.Feb.2007
Status: offline

Hi there,

If the two sites are on different servers then why are you using a path of /support/*?

You're telling the rule to redirect to http://support.mywebsite.com/support! or possibly it's trying to redirect to your www site with the path of /support which as you know is going to fail.

If you have on separate servers, just set the redirect on the new publishing rule to http://support.mywebsite.com. Don't use a destination set with a path statement. The rule is that if you trying to use path statement in a destination set and publishing to the root of the server, it will not work.

If DNS is configured properly, it should work. You may also need to move the new rule to the top of the order.

HTH

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to ss1001)

Post #: 2

RE: 403 Forbidden ... on ISA Server 2000 - 7.Feb.2008 7:37:09 PM

ss1001

Posts: 3
Joined: 1.Feb.2008
Status: offline

Hi RB,

Thanks 4 your response.

Ok what I have done after erading your post, is delete both Destination sets. In the webpublishing > Properties, I indicated "ALL DESINATIONS" and pointed them to the IP address (internal) of the relevant servers. This is for both. I restarted the ISA services and then tested and from internal (no difference) I can get to both sites. from outside though, I not get a login box for credentials. Now I have seen a post with something similar so I will dig that post up and follow the authors resolution and see if I am sucessfull. I know on the support.4pcd.com I don't have active directory enabled as it is a stand-alone server, so I may need to creat a user called IUSR_INTERNET. I will keep you posted.

Thanks for your help so far. Please feel free to add anything!

(in reply to ss1001)

Post #: 3

RE: 403 Forbidden ... on ISA Server 2000 - 7.Feb.2008 8:15:28 PM

ss1001

Posts: 3
Joined: 1.Feb.2008
Status: offline

Just created a user IUSR_<servername>.
Result:
I was not asked for user ID and Password. However still only going to the www site.

I moved the Web Publishing rule for support.mywebsite.com to position 1.
Result:
Now both URLs go to the support site.

Can anyone shed some light as to where I am going wrong!

Thanks.

(in reply to ss1001)

Post #: 4

RE: 403 Forbidden ... on ISA Server 2000 - 8.Feb.2008 1:02:32 PM

Rotorblade

Posts: 1002
Joined: 27.Feb.2007
Status: offline

Ok, let�s backup here and see if we can come to a conclusion on your issue

quote:

Current Config.
- I setup 2 new destination sets. 1st for the original website www.mywebsite.com. 2nd for the new website support.mywebsite.com.

Ok, before the destination sets, let�s look at your DNS. From what I'm gathering, it sounds like a DNS issue. You mentioned that you have �split DNS� configured. So that would mean that the internal FQDN naming and the external FQDN naming are the same and has been tested and resolves correctly internally to their respective internal server FQDN to IP? If not, that is issue #1. For any destination set to work, DNS must work! This also leads me to believe that you may have something amiss with your DNS configuration, possibly not resolving to an Internal DNS which is properly configured as a forwarder.
In your original destination set, are there any �Include these destination� entered in the box below?
When creating the two destination sets, be very specific as to the FQDN. For instance, If you�re using mywebsite.com as the destination, then all requests for mywebsite.com will be directed to the web server using that destination in it�s rule! If you have another rule that listens for requests for the FQDN of support. mywebsite.com and the rule is second in order, request will still go to the first rule because you told it too.

quote:

I then setup a New web publishing rule for the new website and selected "Specific Destination" and put /support/* for the folder option.

As I mentioned, using the path of /support/* is probably is not called for because you�re publishing, redirecting to two separate web servers. Using the path in the destination set would mean that the virtual folder structure on the published Web server exists and you�re directing inbound requests based on the FQDN to the virtual folder path. If you are publishing to the �root� web, then using a path other than /* will not work!

Secondly, if you are truly configured for �split DNS� but your internal web server is using a different name, you may need to configure host headers on the IIS web server. In the web rule, you have the option to send the original host header instead of the actual one specified in the redirect box. (IP or name) If you�re redirecting using the �original host header� then the server must be configured as an ISA SecureNAT client. If it is not, requests will fail!

quote:

I updated my Public DNS records to reflect the new support.mywebsite.com.

Good, hopefully your Internal DNS is configured with the proper A zone records or using an alias CNAME to reference the internal servers and not the external IP!

quote:

Just created a user IUSR_<servername>.

Not sure why you would want to do this. The IUSR_servername is the account IIS uses for Anonymous access and by default is created for you at time of install. Setting authentication is either done at the ISA web listener or at the web server. My suggestion to you is to get it working without authentication first then worry about locking it down. If the web server is not a member of the domain, then a local account needs to be configured to authenticate against. Using Basic authentication, it�s is recommended that you use SSL.

Hopefully, this information will be of some help. It�s been a few years since working with ISA 2k!

Anyway, please let me know on your outcome.

HTH

RB

_____________________________

David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003

(in reply to ss1001)

Post #: 5