• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 599
  • Last Modified:

Problems to access a external web site.

Hello everyone,

we have a problem related to our external users, they access to our domain with a vpn no problems with that.
But when they want to access to a particulary site they receive the message 403 forbiden - the ISA Server denies the specified Uniform Resource Locator (URL). (12202). For us this seems to be little awckerd because they can access to other sites except that one.
Our DC is Win 2003 R3 and we have ISA 2006 implemented and so far they work well.

We also see everything related to this matter, but no solution that we read help us to solve our problem.

Any ideas???

Thanks to you all.


0
David Paris Vicente
Asked:
David Paris Vicente
  • 8
  • 8
1 Solution
 
WadskiIT DirectorCommented:
Are you allowing VPN users access to the external network in the ISA configuration?
0
 
Keith AlabasterCommented:
So the issue is only for vpn users to this one site? ie All internal users can access this one site OK?
What is the site URL? Is it an https site or an ordinary http site?
Have you deployed the ISA2006 SP1?
AND the ISA2006 Supportability pack?

Is ISA installed as a firewall/proxy or proxy only?
Is ISA providing the VPN header function or is there another device in the mix?
If It is ISA doing the VPN then what firewall rules do you have in place FROM VPN Client TO external?
0
 
David Paris VicenteAuthor Commented:
Hi,
Wadski answer to your questions, no they dont have permission to access to a external network, only the url´s that we define.

Answer to your questions Keith, ISA is installed as firewall/proxy and yes the ISA is the provider of the VPN header.

And we have:

Array ---> Vpn;  Action----> Allow;  Protocols----->All outbound traffic; From----> VPN Clients; To ----> URL Sets--> DGS-->"http://who.int/*"  Among others urls but this one they can´t access the rest of the external web sites they access.

But internal we can acces to that particulary site http://who.int/* with no problems, we already give him access to all networks and local hosts but this is a security breach for us.

Thank you
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Keith AlabasterCommented:
Thanks for all of that - can you give an exact url? I'll try it now and follow the headers through.
0
 
David Paris VicenteAuthor Commented:
Hi keith,

thanks for your help, the exact url is: www.who.int
Me and my co-worker dont have anymore ideas, the dns reply well, dmz is working fine we can access with no problems from the internal network and thru vpn with our users.

In the past this site work fine, but the users complaint now that they can´t access
since last week, and we dont now why because we don´t make any changes on the ISA.

Thanks again Keith.

Kind Regards
David
0
 
Keith AlabasterCommented:
No problems - I agree that your current testing rule would be a significant security hole long term.....
Open the ISA gui - select monitoring - logging - start query.
what EXACTLY is seen in the log when this vpn user tries to access that site? This may cover two or three lines of log. Also, if the call is denied, which rule is performing the deny? The default rule or a different one?

Now do exactly the same but for a site the vpn user CAN get to - what do you see in the log? what is different?



0
 
David Paris VicenteAuthor Commented:
Hi Keith,

This is the log for the site they cant access:

Denied Connection                                               XXXXXXXXISA02 07-11-2008 12:36:22
Log type: Web Proxy (Forward)
Status: 12202 The ISA Server denied the specified Uniform Resource Locator (URL).
Rule: [Enterprise] Default rule
Source: VPN Clients (172.XXX.XXX.XXX)
Destination: External (158.232.12.119:80)
Request: GET http://158.232.12.119/ 
Filter information: Req ID: 0d191236; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: domain\XPTO
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 ms
MIME type:
---------------------------------------------------------------------------------------------------------

This is the log of the site they can access:

Allowed Connection                                                      XXXXXXISA01 07-11-2008 12:53:14
Log type: Web Proxy (Forward)
Status: 0 The operation completed successfully.
Rule: VPN S24
Source: VPN Clients (172.xxx.xxx.xxx)
Destination: External (172.18.0.1:80)
Request: GET http://192.71.85.66/images/banners/banner_EAA_ex_4.jpg 
Filter information: Req ID: 0f8cccbd; Compression: client=No, server=No, compress rate=0% decompress rate=0%, Range=3744-41233
Protocol: http
User: domain\XPTO
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Object source: Cache (Source is the cache. Object was returned from the cache.)
Cache info: 0x4040 (Request includes the RANGE header. Request includes the IF-RANGE header.)
Processing time: 1 ms
MIME type: image/jpeg

We dont know why the bold lines are different because the rule that we want to be applied is VPN S24 and why the destination external also change.



Thanks Again.
David

0
 
Keith AlabasterCommented:
Hmmm - note the different results?  one looks like it is being forwarded to ISA server (or at least an internal IP as 172.18.0.1 is a private address) whereas the one that is failing is calling an external, public IP address directly - 158.232.12.119

Are the remote users set up in their proxy settings correctly?
0
 
David Paris VicenteAuthor Commented:
Yes.
If the proxy is not set correctly tey can´t access to a external sites when tey are in ou system.
In the past we made a msi file to install all the configurations needed to access our network.
Thanks for your help we are gone pursue this problem a try to find a solution.
0
 
Keith AlabasterCommented:
OK - How have you set up the LAT for the ip addresses of machines who are at the remote vpn end?
0
 
David Paris VicenteAuthor Commented:
We only have LAT define for our internal network and Intra Array.
For VPN clients No ip addresses are currently assigned to this network.
We have a network rule with NAT Relation
Source networks> Internal and VPN clients to Destination Networks> External.
 
 
0
 
Keith AlabasterCommented:
The VPN addresses - how are these assigned? From your internal dhcp address range or from a static list using a different subnet?
0
 
David Paris VicenteAuthor Commented:
Hi keith,
the vpn addresses are assign by the isa to vpn users.
0
 
Keith AlabasterCommented:
Sure - but from a static group you have created or from part of the internal dhcp?
0
 
David Paris VicenteAuthor Commented:
From a static address pool add in the ISA.
0
 
David Paris VicenteAuthor Commented:
Hi keith,
After we made a reboot to one node the problem has been solve, the users can access to all the sites, but reason why the ISA denied access to this sites, remains awckward.
Thanks for everything.
0
 
Keith AlabasterCommented:
No probs :)
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

  • 8
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now