[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ISA 2006 Intermittent Denial of authourized URL by Web Publishing Rule

Posted on 2009-02-12
6
Medium Priority
?
814 Views
Last Modified: 2012-05-06
Hi

We have a standard ISA 2006 server running on a Server 2003 platform with a Core II Duo processor and 2GB of RAM.

The ISA is used mainly for web publishing and we run a number of web sites behind the ISA server. This has been running and stable for the lats 2 years,

Problem: We have new domain which has been registered as a Public Name in the usual way. However the ISA Server intermittently denies the URL with the following error:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Based watching the logging reports the URL is denied by the [Enterprise] Default Rule. This seems to indicate that the URL has bypassed all other rules IE not been applicable - and then has been stopped by the final rule.

However sometimes the Web Publishing Rule works and the site comes up normally. Then after a few mins of browsing the site the above error pops up.

I have also linked another test URL to the same IIS site and published its Public Name and it works fine!

We have tried everything, Recreated the site in IIS. Mapped different content and added and removed the Public name a hundred times. Just when it seems to be running OK again, bang! the error pops up again.

Please can someone help.
Thank you
Howard
Syncrony.com
0
Comment
Question by:hrybko1
  • 4
  • 2
6 Comments
 
LVL 9

Expert Comment

by:Amirchoupani
ID: 23624368
- First of all if you have standard edition of ISA, then what do you mean by Enterprise default rule? Do you mean Last rule.
- What's the authentication method in your publishing rule?
- Is your ISA joined to your domain?
- What happens if you set All Users in your publishing rule?
0
 

Author Comment

by:hrybko1
ID: 23630313
Hi

Thank you for your response

1) Yes I mean the Last Rule ( and yes we are using the Enterprise version)
2) Yes the ISA is joined to the domain
3) Web Publishing rule is set to All Users

Problem is that the rule works SOMETIMES and then it stops working.

Thank you
Howard
0
 

Author Comment

by:hrybko1
ID: 23630744
Hi

In case this helps here is a link to the site on a dummy URL http://www.rybko.co.za/

If u click on that and then SERVICES menu link on top right. That link has the real site address, which will bring up my ISA denial message. Note both domains are set up identically in ISA and IIS

Thank you
Howard
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 9

Assisted Solution

by:Amirchoupani
Amirchoupani earned 1000 total points
ID: 23637169
You missed this question :)
- What's the authentication method in your publishing rule?

Try Selecting Allow authentication through .... Located in web listener --> authentication --> advanced.
0
 

Author Comment

by:hrybko1
ID: 23647555
Hi
Client Authentication is set to No Authentication under the advanced tab for the Listener.

I have added a new domain that is for another client and it behaves the same way.
Thus for some reason the HTTP rule is INTERMITTENTLY refusing connections on port 80 for NEW domains published on the Web Publishing rule.

It is crazy. I can restart the ISA service and the site is browsable no problem. Then after a few mins ISA gives a 403 12202 denied error and both new sites stop working.

I have run logging and see that when the error occurs the Original Client IP address is internal 10.204.0.1 and the error code is either 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
or 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN.
Thus for some reason the request suddenly gets shut down at the HTTP level and does not seem to get to the Web Pub rule.

One other thing - my ISA is part of the domain but sometimes i get an error in the system logs that say that the ISA server could not connect to the domain.

Any help will be appreciated.
Thanks
0
 

Accepted Solution

by:
hrybko1 earned 0 total points
ID: 23653224
OK - Thanks
I have fixed the problem - for now by removing the ISA server from the domain.

Not sure if I should rejoin it now - because most thing seem to be working OK.

Thank you

Howard
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Integration Management Part 2
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses
Course of the Month20 days, 2 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question