• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

403 FOrbidden when accessing an internal web site

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> 403 FOrbidden when accessing an internal web site Page: [1]
Message << Older Topic   Newer Topic >>
403 FOrbidden when accessing an internal web site - 4.Jan.2006 3:33:15 AM   


Posts: 33
Joined: 14.Dec.2005
Status: offline
Hi All,

Can you help me confirm if this is a normal behavior?

It’s a SBS Server with ISA 2004 installed. There is an internal website hosted on the SBS Server itself (not published by the ISA). IIS is listening on the internal IP address using the host head “companyweb”. The “companyweb” can be resolved to the internal IP address of the ISA firewall by the internal DNS Server. The "Require all users to authenticate" option is checked on the ISA.

From an internal XP client, we perform the following test (FWC is not installed):

1. Enable web proxy, uncheck the “Bypass proxy server for local addresses” option in IE.

We can access http://companyweb without problem.

2. Enable web proxy; check the “Bypass proxy server for local addresses” option in IE.

We receive an error indicating that “Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)”

3. Disable web proxy in IE.

Receive the same error in item 2.

Does the error mean that the request is dropped by the ISA’s Web Proxy engine? If so, why will the ISA Web Proxy engine handle the request? Since the URL doesn’t contain a period, it should be regarded as an internal host, am I right?

I have an additional question:

On Networks->Internal->Web Browser, if I tick the “Bypass proxy for Web servers in this network” option, how will the XP client do the DNS resolution when accessing http://companyweb? Will it do the resolution by itself or will it be done by the ISA’s Web Proxy engine? If it’s performed by the ISA Web Proxy engine, will the HTTP request looped back through the ISA firewall to access the IIS site behind the same network interface?

(If we disable the "Require all users to authenticate" option, all the above tests will work fine. But the customer is not willing to un-tick the option.)

Thanks in advance and Happy new year!

Best Regards,
Edward Tian
Post #: 1
RE: 403 FOrbidden when accessing an internal web site - 19.Apr.2006 6:34:11 PM   


Posts: 1
Joined: 19.Apr.2006
Status: offline

Not sure if you got this problem fixed but i encountered it today after an SBS 2003 Upgrade to ISA2004 and SP2 was applied, and have figured out what the required change is to be made on the ISA Server so i could see the internal sites without removing the tick in the "all users are required to authenticate" box....

Firstly I cannot confirm if thsi is normal behaviour of ISA server 2004 simply because I performed an upgrade from ISA 2000 on my sbs box and told the installation to import my configuration and settings from 2000 across to isa 2004. When i first encountered this problem i thought the configuration settings were not passed onto the new installation although after checking i was wrong, my explantion follows after the fix below...

In ISA server management drill down to configuration >> network, in the display right click the internal network definition and select properties, now select the Web Browser tab and remove the tick in the box for "Bypass proxy for Web servers in this network".
Now it doesnt matter if the option “Bypass proxy server for local addresses” option in IE is ticked or not ticked (close browser window when switching between modes or you will see the error in some circumstances).

If you disable the WebProxy in IE with or without a firewall client (SecureNAT) i believe isa recognises the connection as a transparent Web Proxy request which cannot be authenticated, and the connection fails.

I found this MS Article Very Helpful after i fixed the problem

I think the answer to your question lies here: "By default, the predefined protocol, HTTP, in ISA Server is bound to the Web Proxy filter. With this setting in place, ISA Server intercepts requests from SecureNAT and Firewall clients, and passes them to the Web Proxy filter for transparent handling. This is known as transparent network address translation (NAT). Applying NAT substitutes a global Internet Protocol (IP) address that is valid on the Internet for the internal IP address of the client request, thus protecting internal addresses. In some circumstances, applying NAT to traffic passing through the Web Proxy filter may cause unexpected results. This document describes a number of issues related to this default behavior."

(in reply to Edward)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> 403 FOrbidden when accessing an internal web site Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts