I've create a web site with IIS 6.0 and I create a web publishing rule with ISA 2004 wizard. I've implementate a w2k3 domain with a w2k3 domain controller, a w2k3 web server and a w2k3 web proxy/firewall with ISA 2004 standard edition. When I contact my web site with a browser internet of a internal/external client I recive this error message
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
my External ip 82.xxx.xxx.xxx my ISA internal is 10.0.0.254 my Web Server ip 10.0.0.1
I used the configuration wizard. Action : enable From : anyware to : "computer Name" Forward to origin...... Yes Listerner: External and listed the external IP address, Listen to port 80 Path : as Default Bridging: Redirect to port Http 80
From: San Pedro Sula
I have this very same problem, I have my ISS server on W2k3 and all internal clients can browse the website which resides on the /SulaExpress/* folder.
My ISA Server is 2k4 and I used the Web Publishing Wizard to "enable this website to be accesible from outside, acording to the error it looks like the problem is on authentication issue, I have check that the listener has No Authentication and that the IIS server has the same settings, I even checked the Security Tab for the Folder itself and it allows ANONYMOUS LOGON on it, but I still have the same error AS ON THIS TOPIC.
I Have two NICs on my ISA Server, I posted the mail server using the wizard and it works fine. My Network has two servers one with ISA 2k4 on a W2k3 PC, and the other is w2k3 on a PC that is on the internal network, it has my mail server, IIS and Active Directory
Is there regular steps to publish a web server even after using the wizard?
From: San Pedro Sula
on that pane I typed the public name which I have already posted on my ISP has the public website, for example, www.sulaexpress.com and on my ISP this should be pointing to the external IP 22.214.171.124
I am curious to see how this is resolved too. I am running into the same issue when publishing an internal website thru ISA. I used the configuration example in the ISA Server 2004 book and can't get it to work.
As for the "public name details" I hav etried several different approaches. Currently I am just using the External IP because I do not have this in DNS yet (testing phase). Any input would be appreciated.
Well here is a follow up on this...I looked at my ISA log and the rule being applied is the "Default rule" which blocks all other traffic. However, it is the last rule in my list. The web publishing rule is the first. So for some reason the web publishing rule is being bypassed and the deny all rule is being applied. And by the way, yes the web publishing rule is enabled. I have triple checked that.
More details on configuration of web publishing rule:
Action - Allow From - External Exception - Internal To - weblink (used both internal DNS name and internal IP) Forward original host header - Tried both checking and unchecking this option Request appear to come from - ISA Traffic - HTTP Listener - Details to follow Link Translation - not checked Schedule - 24x7 User - All Bridging - Web Server Redirec to port 80 Paths - /* Public name - http://126.96.36.199/weblink,http://188.8.131.52/weblink7, 184.108.40.206/weblink7
Web Listener Details Network - External (IP of 172.16.131.5) Preferences - Enable http, port 80 Authentication - none specified Advanced - unlimited connections RSA - Cookies expire after specified time (15 min)
I am just stumped as to why this rule is being passed and the default rule of Deny is being applied.
Final note on this I am testing from my home PC (using RDP to home PC) and viewing log entries as they come into ISA.
OK another update...after changing the public name to just the IP (dropped the /weblink part)I can now at least get passed the ISA server. In the log files I see th eweb publishing rule being applied and allowing the traffic to pass to the web server. However, now when I connect to web server I am getting a pop up box asking me to authenticate. Since ISA is passing the request to IIS looks like I may have some authentication issue with IIS.
Would be glad to help, just keep posting in here any issues you may have. This way we have a runnig track of what is taking place.
I can say from my experience the biggest issues I was having was getting the http request pasted ISA and then setting the permissions in IIS. One area that helped me out a lot was in the logging of ISA. I was able to see what rule was being applied and work from there.
RE: Error Code: 403 Forbidden. The server denied the sp... - 2.Sep.2005 11:04:00 AM
Let me know what you guys think. I believe we're all having the same problem due to 1 little thing here. But quickly, heres my configuration (brief)...
2 domains located at 2 different places... Both having the same issue.
1 is for a client... 1 is mine, I have SBS2003 Premium with ISA2004 on both, local domain name for client is crockettmyers.local My security certificate is for server.crockettmyers.com. mine locally is eondigital.local with a security cert for server.eondigitalsolutions.com.
(In SBS 2003 running the Server configuration wizard sets up everything from SBS2003 to ISA2004 for me automatically.) I'm trying to access remote web workplace from either...
**OKay now, the meat of the issue...
It seems we're all accessing name based websites by trying to use the IP address. Looks like with the configuration we all have, we will need to create an A name record on our domain names pointing to the IP address...
ie: server.crockettmyers.com A>> 220.127.116.11.
It seems ISA is denying the request because it's not able to verify that we're coming from the right source (so to speak) ISA is configured to only allow name based authentication. In the case of the previous user, I believe they got it to work by changing the name to the IP address. That way ISA didn't deny based on the fact that it wasn't a request for a specific name of a site, but rather allowed traffic based on the IP address.
***Please be careful with allowing sites to be pulled by IP, it makes them easier to get through security.
Just my thoughts on our little matter... what do you think? (Unfortunately I can't get the A name added because my host isn't returning my phone calls. I'm switching providers!)
I used the IP becasue I am testing the web publishing rule. However, once I get the DNS record entered I should not have any problems as long as the DNS name is created on the Public Name page within ISA.
When trying to access your website<satch22> I get the following error message:
Technical Information (for support personnel) Error Code 10060: Connection timeout Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties. Date: 9/2/2005 3:24:31 PM Server: Myserver name Source: Firewall
Within ISA the log shows "Failled Connection Attempt"
From: CA USA
I have been fighting the same issue it seems. As a certified MS partner I have been working with MS support engineers and this problem has been giving us fits.
What I have found in my travels is that if you run a default setup after applying SP1 to SBS then you can get the DNS error. I had this problem for a while. I think this could have been fixed by simply adding an entry to DNS for "PUBLISHING" and point the record to the web server. The reason for this is that when you run the wizard to configure the internet connection and the fire wall an SSL certificate is created for both the server name and publishing. If all the rules look correct but the error you get is can not find the server of DNS error I think this will fix it.
I was able to fix this problem by re running the wizard and where it asks for the fully qualified server name ( my case server.domain.local) appeared as the default. By putting in www.domain.com (My server has a registered .com address) all my services then started working.
Hope this helps.
PS One of the engineers was able to make a rule by the IP address so i can see how changing the name to just the IP will get things working again.
Old thread but nevertheless I learnt to use monitor\query function here.
I kinda had the same problem.
Built split DNS, a web server, then publish the web server to 'external' external client can browse the internal web server with no problem but internal client will cause 'proxy error 502', 'error 12202', 'ISA denied the URL'. On monitor\logging\query show that the rule applied is 'last rule default-denied'
More, if internal client use netbios name(e.g. www) instead of full FQDN(e.g. www.microsoft.com) or if web proxy client is disabled(LAN setting, untick 'use a proxy..') can access web server no problem.
Issue solve by add new firewall policy protocols: HTTP from: Internal, Localhost to: Internal
test again using full FQDN, the browse request(both at internal and localhost) now succeed. 'monitor\logging\query' show rule used is the new 'internal-allow-internal' policy