Problems to access a external web site.

Hello everyone,

we have a problem related to our external users, they access to our domain with a vpn no problems with that.
But when they want to access to a particulary site they receive the message 403 forbiden - the ISA Server denies the specified Uniform Resource Locator (URL). (12202). For us this seems to be little awckerd because they can access to other sites except that one.
Our DC is Win 2003 R3 and we have ISA 2006 implemented and so far they work well.

We also see everything related to this matter, but no solution that we read help us to solve our problem.

Any ideas???

Thanks to you all.


LVL 12
David Paris VicenteSystems and Comunications Administrator Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WadskiIT DirectorCommented:
Are you allowing VPN users access to the external network in the ISA configuration?
Keith AlabasterEnterprise ArchitectCommented:
So the issue is only for vpn users to this one site? ie All internal users can access this one site OK?
What is the site URL? Is it an https site or an ordinary http site?
Have you deployed the ISA2006 SP1?
AND the ISA2006 Supportability pack?

Is ISA installed as a firewall/proxy or proxy only?
Is ISA providing the VPN header function or is there another device in the mix?
If It is ISA doing the VPN then what firewall rules do you have in place FROM VPN Client TO external?
David Paris VicenteSystems and Comunications  Administrator Author Commented:
Hi,
Wadski answer to your questions, no they dont have permission to access to a external network, only the url´s that we define.

Answer to your questions Keith, ISA is installed as firewall/proxy and yes the ISA is the provider of the VPN header.

And we have:

Array ---> Vpn;  Action----> Allow;  Protocols----->All outbound traffic; From----> VPN Clients; To ----> URL Sets--> DGS-->"http://who.int/*"  Among others urls but this one they can´t access the rest of the external web sites they access.

But internal we can acces to that particulary site http://who.int/* with no problems, we already give him access to all networks and local hosts but this is a security breach for us.

Thank you
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Keith AlabasterEnterprise ArchitectCommented:
Thanks for all of that - can you give an exact url? I'll try it now and follow the headers through.
David Paris VicenteSystems and Comunications  Administrator Author Commented:
Hi keith,

thanks for your help, the exact url is: www.who.int
Me and my co-worker dont have anymore ideas, the dns reply well, dmz is working fine we can access with no problems from the internal network and thru vpn with our users.

In the past this site work fine, but the users complaint now that they can´t access
since last week, and we dont now why because we don´t make any changes on the ISA.

Thanks again Keith.

Kind Regards
David
Keith AlabasterEnterprise ArchitectCommented:
No problems - I agree that your current testing rule would be a significant security hole long term.....
Open the ISA gui - select monitoring - logging - start query.
what EXACTLY is seen in the log when this vpn user tries to access that site? This may cover two or three lines of log. Also, if the call is denied, which rule is performing the deny? The default rule or a different one?

Now do exactly the same but for a site the vpn user CAN get to - what do you see in the log? what is different?



David Paris VicenteSystems and Comunications  Administrator Author Commented:
Hi Keith,

This is the log for the site they cant access:

Denied Connection                                               XXXXXXXXISA02 07-11-2008 12:36:22
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: [Enterprise] Default rule
Source: VPN Clients (172.XXX.XXX.XXX)
Destination: External (158.232.12.119:80)
Request: GET http://158.232.12.119/ 
Filter information: Req ID: 0d191236; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: domain\XPTO
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 ms
MIME type:
---------------------------------------------------------------------------------------------------------

This is the log of the site they can access:

Allowed Connection                                                      XXXXXXISA01 07-11-2008 12:53:14
Log type: Web Proxy (Forward)
Status: 0 The operation completed successfully.
Rule: VPN S24
Source: VPN Clients (172.xxx.xxx.xxx)
Destination: External (172.18.0.1:80)
Request: GET http://192.71.85.66/images/banners/banner_EAA_ex_4.jpg 
Filter information: Req ID: 0f8cccbd; Compression: client=No, server=No, compress rate=0% decompress rate=0%, Range=3744-41233
Protocol: http
User: domain\XPTO
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Object source: Cache (Source is the cache. Object was returned from the cache.)
Cache info: 0x4040 (Request includes the RANGE header. Request includes the IF-RANGE header.)
Processing time: 1 ms
MIME type: image/jpeg

We dont know why the bold lines are different because the rule that we want to be applied is VPN S24 and why the destination external also change.



Thanks Again.
David

Keith AlabasterEnterprise ArchitectCommented:
Hmmm - note the different results?  one looks like it is being forwarded to ISA server (or at least an internal IP as 172.18.0.1 is a private address) whereas the one that is failing is calling an external, public IP address directly - 158.232.12.119

Are the remote users set up in their proxy settings correctly?
David Paris VicenteSystems and Comunications  Administrator Author Commented:
Yes.
If the proxy is not set correctly tey can´t access to a external sites when tey are in ou system.
In the past we made a msi file to install all the configurations needed to access our network.
Thanks for your help we are gone pursue this problem a try to find a solution.
Keith AlabasterEnterprise ArchitectCommented:
OK - How have you set up the LAT for the ip addresses of machines who are at the remote vpn end?
David Paris VicenteSystems and Comunications  Administrator Author Commented:
We only have LAT define for our internal network and Intra Array.
For VPN clients No ip addresses are currently assigned to this network.
We have a network rule with NAT Relation
Source networks> Internal and VPN clients to Destination Networks> External.
 
 
Keith AlabasterEnterprise ArchitectCommented:
The VPN addresses - how are these assigned? From your internal dhcp address range or from a static list using a different subnet?
David Paris VicenteSystems and Comunications  Administrator Author Commented:
Hi keith,
the vpn addresses are assign by the isa to vpn users.
Keith AlabasterEnterprise ArchitectCommented:
Sure - but from a static group you have created or from part of the internal dhcp?
David Paris VicenteSystems and Comunications  Administrator Author Commented:
From a static address pool add in the ISA.
David Paris VicenteSystems and Comunications  Administrator Author Commented:
Hi keith,
After we made a reboot to one node the problem has been solve, the users can access to all the sites, but reason why the ISA denied access to this sites, remains awckward.
Thanks for everything.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Keith AlabasterEnterprise ArchitectCommented:
No probs :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.