Problems to access a external web site.
Hello everyone,
we have a problem related to our external users, they access to our domain with a vpn no problems with that.
But when they want to access to a particulary site they receive the message 403 forbiden - the ISA Server denies the specified Uniform Resource Locator (URL). (12202). For us this seems to be little awckerd because they can access to other sites except that one.
Our DC is Win 2003 R3 and we have ISA 2006 implemented and so far they work well.
We also see everything related to this matter, but no solution that we read help us to solve our problem.
Any ideas???
Thanks to you all.
we have a problem related to our external users, they access to our domain with a vpn no problems with that.
But when they want to access to a particulary site they receive the message 403 forbiden - the ISA Server denies the specified Uniform Resource Locator (URL). (12202). For us this seems to be little awckerd because they can access to other sites except that one.
Our DC is Win 2003 R3 and we have ISA 2006 implemented and so far they work well.
We also see everything related to this matter, but no solution that we read help us to solve our problem.
Any ideas???
Thanks to you all.
Wadski
Are you allowing VPN users access to the external network in the ISA configuration?
So the issue is only for vpn users to this one site? ie All internal users can access this one site OK?
What is the site URL? Is it an https site or an ordinary http site?
Have you deployed the ISA2006 SP1?
AND the ISA2006 Supportability pack?
Is ISA installed as a firewall/proxy or proxy only?
Is ISA providing the VPN header function or is there another device in the mix?
If It is ISA doing the VPN then what firewall rules do you have in place FROM VPN Client TO external?
What is the site URL? Is it an https site or an ordinary http site?
Have you deployed the ISA2006 SP1?
AND the ISA2006 Supportability pack?
Is ISA installed as a firewall/proxy or proxy only?
Is ISA providing the VPN header function or is there another device in the mix?
If It is ISA doing the VPN then what firewall rules do you have in place FROM VPN Client TO external?
ASKER
Hi,
Wadski answer to your questions, no they dont have permission to access to a external network, only the url´s that we define.
Answer to your questions Keith, ISA is installed as firewall/proxy and yes the ISA is the provider of the VPN header.
And we have:
Array ---> Vpn; Action----> Allow; Protocols----->All outbound traffic; From----> VPN Clients; To ----> URL Sets--> DGS-->"http://who.int/*" Among others urls but this one they can´t access the rest of the external web sites they access.
But internal we can acces to that particulary site http://who.int/* with no problems, we already give him access to all networks and local hosts but this is a security breach for us.
Thank you
Wadski answer to your questions, no they dont have permission to access to a external network, only the url´s that we define.
Answer to your questions Keith, ISA is installed as firewall/proxy and yes the ISA is the provider of the VPN header.
And we have:
Array ---> Vpn; Action----> Allow; Protocols----->All outbound traffic; From----> VPN Clients; To ----> URL Sets--> DGS-->"http://who.int/*" Among others urls but this one they can´t access the rest of the external web sites they access.
But internal we can acces to that particulary site http://who.int/* with no problems, we already give him access to all networks and local hosts but this is a security breach for us.
Thank you
Thanks for all of that - can you give an exact url? I'll try it now and follow the headers through.
ASKER
Hi keith,
thanks for your help, the exact url is: www.who.int
Me and my co-worker dont have anymore ideas, the dns reply well, dmz is working fine we can access with no problems from the internal network and thru vpn with our users.
In the past this site work fine, but the users complaint now that they can´t access
since last week, and we dont now why because we don´t make any changes on the ISA.
Thanks again Keith.
Kind Regards
David
thanks for your help, the exact url is: www.who.int
Me and my co-worker dont have anymore ideas, the dns reply well, dmz is working fine we can access with no problems from the internal network and thru vpn with our users.
In the past this site work fine, but the users complaint now that they can´t access
since last week, and we dont now why because we don´t make any changes on the ISA.
Thanks again Keith.
Kind Regards
David
No problems - I agree that your current testing rule would be a significant security hole long term.....
Open the ISA gui - select monitoring - logging - start query.
what EXACTLY is seen in the log when this vpn user tries to access that site? This may cover two or three lines of log. Also, if the call is denied, which rule is performing the deny? The default rule or a different one?
Now do exactly the same but for a site the vpn user CAN get to - what do you see in the log? what is different?
Open the ISA gui - select monitoring - logging - start query.
what EXACTLY is seen in the log when this vpn user tries to access that site? This may cover two or three lines of log. Also, if the call is denied, which rule is performing the deny? The default rule or a different one?
Now do exactly the same but for a site the vpn user CAN get to - what do you see in the log? what is different?
ASKER
Hi Keith,
This is the log for the site they cant access:
Denied Connection XXXXXXXXISA02 07-11-2008 12:36:22
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: [Enterprise] Default rule
Source: VPN Clients (172.XXX.XXX.XXX)
Destination: External (158.232.12.119:80)
Request: GET http://158.232.12.119/
Filter information: Req ID: 0d191236; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: domain\XPTO
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 ms
MIME type:
--------------------------
This is the log of the site they can access:
Allowed Connection XXXXXXISA01 07-11-2008 12:53:14
Log type: Web Proxy (Forward)
Status: 0 The operation completed successfully.
Rule: VPN S24
Source: VPN Clients (172.xxx.xxx.xxx)
Destination: External (172.18.0.1:80)
Request: GET http://192.71.85.66/images/banners/banner_EAA_ex_4.jpg
Filter information: Req ID: 0f8cccbd; Compression: client=No, server=No, compress rate=0% decompress rate=0%, Range=3744-41233
Protocol: http
User: domain\XPTO
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Object source: Cache (Source is the cache. Object was returned from the cache.)
Cache info: 0x4040 (Request includes the RANGE header. Request includes the IF-RANGE header.)
Processing time: 1 ms
MIME type: image/jpeg
We dont know why the bold lines are different because the rule that we want to be applied is VPN S24 and why the destination external also change.
Thanks Again.
David
This is the log for the site they cant access:
Denied Connection XXXXXXXXISA02 07-11-2008 12:36:22
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: [Enterprise] Default rule
Source: VPN Clients (172.XXX.XXX.XXX)
Destination: External (158.232.12.119:80)
Request: GET http://158.232.12.119/
Filter information: Req ID: 0d191236; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: domain\XPTO
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 ms
MIME type:
--------------------------
This is the log of the site they can access:
Allowed Connection XXXXXXISA01 07-11-2008 12:53:14
Log type: Web Proxy (Forward)
Status: 0 The operation completed successfully.
Rule: VPN S24
Source: VPN Clients (172.xxx.xxx.xxx)
Destination: External (172.18.0.1:80)
Request: GET http://192.71.85.66/images/banners/banner_EAA_ex_4.jpg
Filter information: Req ID: 0f8cccbd; Compression: client=No, server=No, compress rate=0% decompress rate=0%, Range=3744-41233
Protocol: http
User: domain\XPTO
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Object source: Cache (Source is the cache. Object was returned from the cache.)
Cache info: 0x4040 (Request includes the RANGE header. Request includes the IF-RANGE header.)
Processing time: 1 ms
MIME type: image/jpeg
We dont know why the bold lines are different because the rule that we want to be applied is VPN S24 and why the destination external also change.
Thanks Again.
David
Hmmm - note the different results? one looks like it is being forwarded to ISA server (or at least an internal IP as 172.18.0.1 is a private address) whereas the one that is failing is calling an external, public IP address directly - 158.232.12.119
Are the remote users set up in their proxy settings correctly?
Are the remote users set up in their proxy settings correctly?
ASKER
Yes.
If the proxy is not set correctly tey can´t access to a external sites when tey are in ou system.
In the past we made a msi file to install all the configurations needed to access our network.
Thanks for your help we are gone pursue this problem a try to find a solution.
If the proxy is not set correctly tey can´t access to a external sites when tey are in ou system.
In the past we made a msi file to install all the configurations needed to access our network.
Thanks for your help we are gone pursue this problem a try to find a solution.
OK - How have you set up the LAT for the ip addresses of machines who are at the remote vpn end?
ASKER
We only have LAT define for our internal network and Intra Array.
For VPN clients No ip addresses are currently assigned to this network.
We have a network rule with NAT Relation
Source networks> Internal and VPN clients to Destination Networks> External.
For VPN clients No ip addresses are currently assigned to this network.
We have a network rule with NAT Relation
Source networks> Internal and VPN clients to Destination Networks> External.
The VPN addresses - how are these assigned? From your internal dhcp address range or from a static list using a different subnet?
ASKER
Hi keith,
the vpn addresses are assign by the isa to vpn users.
the vpn addresses are assign by the isa to vpn users.
Sure - but from a static group you have created or from part of the internal dhcp?
ASKER
From a static address pool add in the ISA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No probs :)