We help IT Professionals succeed at work.

ISA 2006 Intermittent Denial of authourized URL by Web Publishing Rule

Medium Priority
834 Views
Last Modified: 2012-05-06
Hi

We have a standard ISA 2006 server running on a Server 2003 platform with a Core II Duo processor and 2GB of RAM.

The ISA is used mainly for web publishing and we run a number of web sites behind the ISA server. This has been running and stable for the lats 2 years,

Problem: We have new domain which has been registered as a Public Name in the usual way. However the ISA Server intermittently denies the URL with the following error:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Based watching the logging reports the URL is denied by the [Enterprise] Default Rule. This seems to indicate that the URL has bypassed all other rules IE not been applicable - and then has been stopped by the final rule.

However sometimes the Web Publishing Rule works and the site comes up normally. Then after a few mins of browsing the site the above error pops up.

I have also linked another test URL to the same IIS site and published its Public Name and it works fine!

We have tried everything, Recreated the site in IIS. Mapped different content and added and removed the Public name a hundred times. Just when it seems to be running OK again, bang! the error pops up again.

Please can someone help.
Thank you
Howard
Syncrony.com
Comment
Watch Question

- First of all if you have standard edition of ISA, then what do you mean by Enterprise default rule? Do you mean Last rule.
- What's the authentication method in your publishing rule?
- Is your ISA joined to your domain?
- What happens if you set All Users in your publishing rule?

Author

Commented:
Hi

Thank you for your response

1) Yes I mean the Last Rule ( and yes we are using the Enterprise version)
2) Yes the ISA is joined to the domain
3) Web Publishing rule is set to All Users

Problem is that the rule works SOMETIMES and then it stops working.

Thank you
Howard

Author

Commented:
Hi

In case this helps here is a link to the site on a dummy URL http://www.rybko.co.za/

If u click on that and then SERVICES menu link on top right. That link has the real site address, which will bring up my ISA denial message. Note both domains are set up identically in ISA and IIS

Thank you
Howard
You missed this question :)
- What's the authentication method in your publishing rule?

Try Selecting Allow authentication through .... Located in web listener --> authentication --> advanced.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Hi
Client Authentication is set to No Authentication under the advanced tab for the Listener.

I have added a new domain that is for another client and it behaves the same way.
Thus for some reason the HTTP rule is INTERMITTENTLY refusing connections on port 80 for NEW domains published on the Web Publishing rule.

It is crazy. I can restart the ISA service and the site is browsable no problem. Then after a few mins ISA gives a 403 12202 denied error and both new sites stop working.

I have run logging and see that when the error occurs the Original Client IP address is internal 10.204.0.1 and the error code is either 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
or 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN.
Thus for some reason the request suddenly gets shut down at the HTTP level and does not seem to get to the Web Pub rule.

One other thing - my ISA is part of the domain but sometimes i get an error in the system logs that say that the ISA server could not connect to the domain.

Any help will be appreciated.
Thanks
Commented:
OK - Thanks
I have fixed the problem - for now by removing the ISA server from the domain.

Not sure if I should rejoin it now - because most thing seem to be working OK.

Thank you

Howard
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.