Website on SBS with ISA2004 sometimes available and sometimes error code 403: Forbidden
Hi, I just installed ISA 2004 on our SBS server, everything works as it's supposed to be except our website.
I created with help of the "publish website wizard" a rule that publishes our website to the anywhere computer group.
When we test the website from the local network it works fine but when a client tries to connect to it, most of the time
it works but regularly the client gets the 403 error code.
If I log the ISA Server I get the following entries:
Action Client ip username source network destination http method url destination ip port
denied connection 81.82.197.24 anonymous localhost empty GET http://sbs/website/images/contact_3.jpg 81.82.197.24 80
Allowed connection 81.82.248.149 anonymous external empty GET http://sbs/website/images/contact_3.jpg 81.82.197.24 80
81.82.197.24 is the servers WAN ip.
This is what the ISA Server logs, it is very strange that ISA blocks the request with client ip it's own WAN ip because the rule made by the wizard has in the from field "anywhere".
This is what appears when I visit the webste from a remote location with WAN ip 81.82.248.149.
It is strange that in client IP the wan address 81.82.197.24 of the sbs server appears.
This is an urgent matter since the website is our live website.
Any help would be more than welcome.
I created with help of the "publish website wizard" a rule that publishes our website to the anywhere computer group.
When we test the website from the local network it works fine but when a client tries to connect to it, most of the time
it works but regularly the client gets the 403 error code.
If I log the ISA Server I get the following entries:
Action Client ip username source network destination http method url destination ip port
denied connection 81.82.197.24 anonymous localhost empty GET http://sbs/website/images/contact_3.jpg 81.82.197.24 80
Allowed connection 81.82.248.149 anonymous external empty GET http://sbs/website/images/contact_3.jpg 81.82.197.24 80
81.82.197.24 is the servers WAN ip.
This is what the ISA Server logs, it is very strange that ISA blocks the request with client ip it's own WAN ip because the rule made by the wizard has in the from field "anywhere".
This is what appears when I visit the webste from a remote location with WAN ip 81.82.248.149.
It is strange that in client IP the wan address 81.82.197.24 of the sbs server appears.
This is an urgent matter since the website is our live website.
Any help would be more than welcome.
PS.
Have you got 2 NIC's in your server or just the one?
If two, when you published the rule, did you put the internal nic IP address of the SBS serveras the destination?
Have you got 2 NIC's in your server or just the one?
If two, when you published the rule, did you put the internal nic IP address of the SBS serveras the destination?
ASKER
Hi keith,
You're able to see the the images since most of the times it works fine. In the rule made by the "publish a web server" wizard the server translates external paths to internal paths. The translation is done by Host headers
Host headersBy
default, when Microsoft Internet Security and Acceleration (ISA) Server 2004 receives an incoming Web request, it determines whether the request is allowed, and then routes the request to the appropriate location on the Web server as defined in the Web publishing rule. ISA Server does not pass the host header (for example, Host: example.microsoft.com) included in the client request to the published server. Instead, ISA Server substitutes the original host header in the request with the name of the server specified in the Web publishing rule. As a result, all requests that are routed to a particular Web server are sent to the same (default) Web site on that Web server.
You can configure ISA Server to pass the original host header information, thereby allowing client requests to be routed to a particular site on the Web server. For example, when you are publishing more than one Web site on the same Web server, the original host header is required for the request to be routed to the intended Web site.
This is the live ip 81.82.197.46 of the server hope this helps
And yes we use 2 NIC's and no I didn't use the internal ip address as destination.
Greetings,
Walter
You're able to see the the images since most of the times it works fine. In the rule made by the "publish a web server" wizard the server translates external paths to internal paths. The translation is done by Host headers
Host headersBy
default, when Microsoft Internet Security and Acceleration (ISA) Server 2004 receives an incoming Web request, it determines whether the request is allowed, and then routes the request to the appropriate location on the Web server as defined in the Web publishing rule. ISA Server does not pass the host header (for example, Host: example.microsoft.com) included in the client request to the published server. Instead, ISA Server substitutes the original host header in the request with the name of the server specified in the Web publishing rule. As a result, all requests that are routed to a particular Web server are sent to the same (default) Web site on that Web server.
You can configure ISA Server to pass the original host header information, thereby allowing client requests to be routed to a particular site on the Web server. For example, when you are publishing more than one Web site on the same Web server, the original host header is required for the request to be routed to the intended Web site.
This is the live ip 81.82.197.46 of the server hope this helps
And yes we use 2 NIC's and no I didn't use the internal ip address as destination.
Greetings,
Walter
ASKER
Problem Solved !
There's apparently a problem with DNS.
If I use the internal ip-address fot the publish a webserver wizard everything works fine.
Thx for the help.
Now how can I close this question?
There's apparently a problem with DNS.
If I use the internal ip-address fot the publish a webserver wizard everything works fine.
Thx for the help.
Now how can I close this question?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We used the internal name and not the ip-address that was the problem.
Apparently a previous administrator created a wrong reverse dns record and that caused some errors when the server
tried to resolve the path.
If my thinking is correct.
Thx anyway.
Grtz,
Walter
Apparently a previous administrator created a wrong reverse dns record and that caused some errors when the server
tried to resolve the path.
If my thinking is correct.
Thx anyway.
Grtz,
Walter
Thanks :)
Firstly, the screenshots you have posted are from your internal web pages so we will not be able to see them.
Second, by putting an allow list into place on the incoming connections to your web site you are potentially blocking the local host (the ISA server itself) from connecting. The Anywhere group is a built-in group that by definition means it has no restrictions.....
If you want to place a block like this, create a new group from within the publishing rule and add the IP's that you want but include the IP address of the ISA/SBS server's external NIC.
If you have done all of this already let me know, else Job Done!
Regards
keith
ISA MCT