Can you help me confirm if this is a normal behavior?
It’s a SBS Server with ISA 2004 installed. There is an internal website hosted on the SBS Server itself (not published by the ISA). IIS is listening on the internal IP address using the host head “companyweb”. The “companyweb” can be resolved to the internal IP address of the ISA firewall by the internal DNS Server. The "Require all users to authenticate" option is checked on the ISA.
From an internal XP client, we perform the following test (FWC is not installed):
1. Enable web proxy, uncheck the “Bypass proxy server for local addresses” option in IE.
2. Enable web proxy; check the “Bypass proxy server for local addresses” option in IE.
We receive an error indicating that “Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)”
3. Disable web proxy in IE.
Receive the same error in item 2.
Does the error mean that the request is dropped by the ISA’s Web Proxy engine? If so, why will the ISA Web Proxy engine handle the request? Since the URL doesn’t contain a period, it should be regarded as an internal host, am I right?
I have an additional question:
On Networks->Internal->Web Browser, if I tick the “Bypass proxy for Web servers in this network” option, how will the XP client do the DNS resolution when accessing http://companyweb? Will it do the resolution by itself or will it be done by the ISA’s Web Proxy engine? If it’s performed by the ISA Web Proxy engine, will the HTTP request looped back through the ISA firewall to access the IIS site behind the same network interface?
(If we disable the "Require all users to authenticate" option, all the above tests will work fine. But the customer is not willing to un-tick the option.)
Not sure if you got this problem fixed but i encountered it today after an SBS 2003 Upgrade to ISA2004 and SP2 was applied, and have figured out what the required change is to be made on the ISA Server so i could see the internal sites without removing the tick in the "all users are required to authenticate" box....
Firstly I cannot confirm if thsi is normal behaviour of ISA server 2004 simply because I performed an upgrade from ISA 2000 on my sbs box and told the installation to import my configuration and settings from 2000 across to isa 2004. When i first encountered this problem i thought the configuration settings were not passed onto the new installation although after checking i was wrong, my explantion follows after the fix below...
In ISA server management drill down to configuration >> network, in the display right click the internal network definition and select properties, now select the Web Browser tab and remove the tick in the box for "Bypass proxy for Web servers in this network". Now it doesnt matter if the option “Bypass proxy server for local addresses” option in IE is ticked or not ticked (close browser window when switching between modes or you will see the error in some circumstances).
If you disable the WebProxy in IE with or without a firewall client (SecureNAT) i believe isa recognises the connection as a transparent Web Proxy request which cannot be authenticated, and the connection fails.
I think the answer to your question lies here: "By default, the predefined protocol, HTTP, in ISA Server is bound to the Web Proxy filter. With this setting in place, ISA Server intercepts requests from SecureNAT and Firewall clients, and passes them to the Web Proxy filter for transparent handling. This is known as transparent network address translation (NAT). Applying NAT substitutes a global Internet Protocol (IP) address that is valid on the Internet for the internal IP address of the client request, thus protecting internal addresses. In some circumstances, applying NAT to traffic passing through the Web Proxy filter may cause unexpected results. This document describes a number of issues related to this default behavior."