Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Cannot access published Web and FTP

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Cannot access published Web and FTP Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
Cannot access published Web and FTP - 5.Jul.2004 8:15:00 AM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		I have been struggling with this one for a good while now and could use some help->

followed 'ISA2004Config Guide1.1' verbatim in publishing web and FTP with NO success. When attempting to access the published WEBsite from an outside connection, I get the "403 Forbidden" error in IE. When trying to access the published FTP from the outside, I get a "FTP folder error ....the FTP session was terminated"

**The logging in ISA shows a failed connection attempt via FTP to the internal server but gives no clues as to why. Internal and external IP addresses shown in the log are accurate

**The logging in ISA shows a failed connection attempt via HTTP to the internal server but gives no clues as to why. Internal IP address is shown as 0.0.0.0, external IP is accurate.

I can PING all addresses internally (ftp.servername.local, http://www.servername.local) NOTE:external DNS is '.net'

I have scoured the messageboards and elsewhere for clues and tried many possible solutions but none work. I feel I am close! Thanks for an insight!
Post #: 1
RE: Cannot access published Web and FTP - 5.Jul.2004 6:22:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi DMC,

NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!

Please, not the .local *illegal* TLD! [Frown]

You couldn't have followed the config guide exactly, because we use the same domain name internally and externally, and simulate a split DNS throughout. Also, there is no coverage of FTP publishing [Big Grin]

What are the exact details of your Web publishing rule? I'd also create a split DNS to remove your dependency on the illegal TLD.

HTH,
Tom

(in reply to dmc3106)
Post #: 2
RE: Cannot access published Web and FTP - 6.Jul.2004 6:41:00 AM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		Hi TS-

Uh-oh. It appears that's a big no.

An install of Small Business Server 2003, by default, sets up the .local DNS domain name for internal use. What is TLD? Also, what is illegal about it?

The web publishing rule is - >
(name)WEB -> (action)ALLOW -> (protocols)HTTP ->(from)ANYWHERE ->(to)SERVER.MYDOMAIN.LOCAL -> (condition) ALL USERS

Thanks for feedback!

(in reply to dmc3106)
Post #: 3
RE: Cannot access published Web and FTP - 6.Jul.2004 10:37:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi DMC,

Not your fault. I know that's how SBS handles things, but the SBS group forgot that there is something called "the Internet" out there, and sometimes people want to connect from locations on the Internet. I surely hope they'll learn the error of their ways and encourage people to not use illegal TLDs (top level domains, like .local).

What is the name you're using on your "Public" tab and the name you're using on your "To" tab?

Thanks!
Tom

(in reply to dmc3106)
Post #: 4
RE: Cannot access published Web and FTP - 7.Jul.2004 4:43:00 AM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		TS-

Here is what I have on the properties of the Web Publishing rule:

"Public" tab - > WWW.MYDOMAIN.NET
"To" tab - > SERVER.MYDOMAIN.LOCAL
"Send the Original Host Header" is unchecked

From an outside line (Dialup), I can ping www.mydomain.net and get a response (shows the correct outside IP address). At this point, attempting to access the site via IE gives "403 Forbidden"

Thanks for your thoughts!

(in reply to dmc3106)
Post #: 5
RE: Cannot access published Web and FTP - 7.Jul.2004 2:45:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi DMC,

Change the value in the "To" tab to www.domain.net and then create a HOSTS file entry on the ISA firewall that maps www.domain.net to the Internal IP address of the published Web server.

Also, does your ISP allow incoming Web connections?

Thanks!
Tom

(in reply to dmc3106)
Post #: 6
RE: Cannot access published Web and FTP - 7.Jul.2004 7:31:00 PM   
nivje

 

Posts: 1
Joined: 7.Jul.2004
Status: offline 		TS

I am facing a similar problem. My web publishing rule has destination server as 192.168.1.1 which is on my internal network. But I get a 400 (Bad Request) error trying to access the site.

Do I need to keep it something like www.somedns.com and then have a HOSTS entry to point 192.168.1.1 ? Does it need to match the entry on the public name?

Is this something new in 2004? Because in 2000 I used to publish it to 192.168.1.1 and it worked.

Thanks

[ July 07, 2004, 10:05 PM: Message edited by: nivje ]

(in reply to dmc3106)
Post #: 7
RE: Cannot access published Web and FTP - 7.Jul.2004 8:03:00 PM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		TS-

Followed your suggestions and still have same results. Here is the exact message - >
"403 Forbidden - The server denies the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Internet Security and Acceleration Server"

It seems this is a specific reference to ISA intercepting the traffic and kicking back the error. Is this correct? If so, can we then then we can conclude (to a degree) it's an issue at the firewall?

I have run websites without ISA on this same connection. To my knowledge, my ISP is not blocking incoming Web connections.

Again, thanks for your feedback!

(in reply to dmc3106)
Post #: 8
RE: Cannot access published Web and FTP - 8.Jul.2004 12:15:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi DMC,

OK, if the ISP is OK, then maybe there's something wrong with the listener. Did you configure a Web listener for this rule to use? Does this listener listen on an IP address that resolves to the name used in the FQDN that external users use to access the site?

Thanks!
Tom

(in reply to dmc3106)
Post #: 9
RE: Cannot access published Web and FTP - 8.Jul.2004 5:23:00 AM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		TS-

I have a listener configured for the rule to use. It is configured to listen on the IP address of the external interface of the ISA server (192.168.0.2) There is a DSL/Cable router connected to the other side of this interface (GW:192.168.0.1)which, in turn, connects to the internet. Here are properties of the listener:
'Selected networks for this listener' - > (external/192.168.0.2), HTTP Port 80,HTTPS Disabled, Integrated authentication, Always authenticate-'no'.

Are there any other tests or configurations I can perform to help discover the issue?

I hope the info above clarifies a bit. I look forward to getting to the bottom of this. Let me know your thoughts - I appreciate your help!

(in reply to dmc3106)
Post #: 10
RE: Cannot access published Web and FTP - 8.Jul.2004 5:58:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi DMC,

OK, we're now at the point where we need to know the exact config of your Web publishing rule.

What is the public name you assigned to the rule?

What is the exact name on the To tab?

What appears in the log file when an external user attempts to connect from an external location?

Thanks!
Tom

(in reply to dmc3106)
Post #: 11
RE: Cannot access published Web and FTP - 9.Jul.2004 1:11:00 AM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		Hi TS-

Q: What is the public name you assigned to the rule?
A: www.mydomain.net

Q: What is the exact name on the To tab?
A: www.mydomain.net
...Also, "Send Original Host Header" is unchecked. Below this option, "Requests appear to come from the firewall" is selected

Q: What appears in the log file when an external user attempts to connect from an external location?
A: See below ->
Log Time(7/8/2004 6:47:50PM), Destination Host IP(0.0.0.0), Destination Port(80), Protocol(http), Action(nothing listed here), Rule(Default Rule), Client IP(24.211.212.27), Client Username(anonymous), Source Network(nothing listed here), Destination Network(nothing listed here), HTTP Method(Get), URL(http://www.mydomain.net)

A few things appear out of place here but I can only speculate. Please let me know your thoughts.

Thanks very much for your feedback! -DMC

(in reply to dmc3106)
Post #: 12
RE: Cannot access published Web and FTP - 9.Jul.2004 7:11:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi DMC,

At the command prompt on the ISA firewall, enter the following:

nslookup www.mydomain.net.

(make sure to include the trailing period)

What does that show?

Thanks!
Tom

(in reply to dmc3106)
Post #: 13
RE: Cannot access published Web and FTP - 9.Jul.2004 10:30:00 PM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		Hi TS-

nslookup show the following:

Server: isaserver.mydomain.net
Address: "IP address of inside interface of isaserver"

Non-authoritative answer:
Name: www.mydomain.net
Address: "External IP address of WWW"

....the isaserver is not hosting the website but is running DNS. If I run the same test (nslookup) on the webserver behind the firewall, it references itself as the "Server". So, it shows "Server: webserver.mydomain.net"

Hope this info helps narrow down things. Thanks, TS! -DMC

(in reply to dmc3106)
Post #: 14
RE: Cannot access published Web and FTP - 11.Jul.2004 6:20:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi DMC,

That's the problem!

You need to create a split DNS. The ISA firewall should resolve the name of the published server to the server's INTERNAL IP address.

Also, the DNS server running on the ISA firewall should be a caching-only DNS server. It *should NOT* be authoritative for any domains, although you can create a stub zone on it to point to your internal domain.

HTH,
Tom

(in reply to dmc3106)
Post #: 15
RE: Cannot access published Web and FTP - 12.Jul.2004 6:36:00 AM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		TS-

Great news! Although I thoroughly read your article "You need to Create Split-DNS!", I am still unclear on the exact steps to take for my current configuration. It appears I have split-split DNS with two name spaces (.local/.net) - this correct? ...and the artcle references a different environment with Advertizer servers and such. I would greatly appreciate a small pointer in the right direction.
*I have changed DNS on the ISAserver from a Stub Zone to a caching only. Now there is only one authoritative server.
*I can resolve 'www.mydomain.net' internally but not from an External connection.

Almost there! Thank you! - DMC

(in reply to dmc3106)
Post #: 16
RE: Cannot access published Web and FTP - 13.Jul.2004 6:17:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi DMC,

I need to do another article on the split DNS. I was trying to cover too much in too little space, and the concepts and configurations I discussed where more applicable to enterprise configs. I need to rewrite it so that applies to smaller shops that don't have the resources for a split-split DNS.

Who is managing your public DNS? Is it your ISP?

Also, when you do the nslookup on the ISA firewall:

nslookup www.mydomain.net. (include the period at the end)

Do you see the *internal* name of the Web server? If so, you're almost home.

Thanks!
Tom

(in reply to dmc3106)
Post #: 17
RE: Cannot access published Web and FTP - 13.Jul.2004 2:02:00 PM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		Hi TS-

"Who is managing your public DNS?" - TZO.com

Also, when I do the nslookup on the ISA firewall:

"nslookup www.mydomain.net
Address: "internal IP address of the webserver(10.0.1.10)"

What should we expect to see with the above?

It will be a great day when I get home! Thank you! - DMC

(in reply to dmc3106)
Post #: 18
RE: Cannot access published Web and FTP - 13.Jul.2004 2:05:00 PM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		...I need to make a correction for the previous post.

"Server: webserver.mydomain.net --(note, this is also the DNS server)" should read - >

"Server: webserver.mydomain.LOCAL --(note, this is also the DNS server)"

thanks, DMC

(in reply to dmc3106)
Post #: 19
RE: Cannot access published Web and FTP - 14.Jul.2004 4:21:00 AM   
dmc3106

 

Posts: 23
Joined: 27.Jun.2004
From: North Carolina
Status: offline 		Hi TS-

After further troubleshooting web connectivity between the ISA server and the Webserver, I have these findings:

*WITHOUT specifying itself as the proxy in IE, the ISA server gets the same "403 Forbidden" error when trying to resolve the website either through IP or URL. While running a query(log)from ISAserver, a single attempt to access the website creates three entries as follows:

1-Log Time(7/13/2004 9:53:46PM), Destination Host IP(10.0.1.10), Destination Port(80), Protocol(HTTP), Action(Established conection), Rule(Default Rule), Client IP(10.0.1.9), Client Username(nothing listed here), Source Network(Localhost), Destination Network(Internal), HTTP Method(nothing listed here), URL(nothing listed here)

2-Log Time(7/13/2004 9:53:46PM), Destination Host IP(0.0.0.0), Destination Port(80), Protocol(http), Action(nothing listed here), Rule(Default Rule), Client IP(10.0.1.9), Client Username(anonymous), Source Network(Localhost), Destination Network(Internal), HTTP Method(GET), URL(http://10.0.1.10/)

3-Log Time(7/13/2004 9:53:46PM), Destination Host IP(10.0.1.10), Destination Port(80), Protocol(HTTP), Action(Closed Connection), Rule(Default Rule), Client IP(10.0.1.9), Client Username(nothing listed here), Source Network(Localhost), Destination Network(Internal), HTTP Method(nothing listed here), URL(nothing listed here)

Basically, for the first and third entry, it appears to be ESTABLISHING the connection and then CLOSING the connection. In between (2nd entry), I'm not exactly sure what is happening here. It seems to always resolve 0.0.0.0 as the destination IP.

*WITH specifying itself as the proxy in IE, the ISA server gets the "HTTP 502 Proxy Error" error when trying to resolve the website either through IP or URL. Log consistently reads:

1-Log Time(7/13/2004 10:18:01PM), Destination Host IP(0.0.0.0), Destination Port(80), Protocol(http), Action(nothing listed here), Rule(Default Rule), Client IP(10.0.1.9), Client Username(anonymous), Source Network(Localhost), Destination Network(Internal), HTTP Method(GET), URL(http://www.mydomain.net/default.htm)
...there are several entries in the logs - one for each component (image) of the website it cannot load (5 entries total)

I hope this info is helpful in getting closer to the solution. (sorry for the lengthy post, just want to provide all the info [Wink] )

Please let me know how to proceed if you have a sense of direction here. Thank you! - DMC

(in reply to dmc3106)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Cannot access published Web and FTP Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts