• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 822
  • Last Modified:

ISA 2006 Intermittent Denial of authourized URL by Web Publishing Rule

Hi

We have a standard ISA 2006 server running on a Server 2003 platform with a Core II Duo processor and 2GB of RAM.

The ISA is used mainly for web publishing and we run a number of web sites behind the ISA server. This has been running and stable for the lats 2 years,

Problem: We have new domain which has been registered as a Public Name in the usual way. However the ISA Server intermittently denies the URL with the following error:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

Based watching the logging reports the URL is denied by the [Enterprise] Default Rule. This seems to indicate that the URL has bypassed all other rules IE not been applicable - and then has been stopped by the final rule.

However sometimes the Web Publishing Rule works and the site comes up normally. Then after a few mins of browsing the site the above error pops up.

I have also linked another test URL to the same IIS site and published its Public Name and it works fine!

We have tried everything, Recreated the site in IIS. Mapped different content and added and removed the Public name a hundred times. Just when it seems to be running OK again, bang! the error pops up again.

Please can someone help.
Thank you
Howard
Syncrony.com
0
hrybko1
Asked:
hrybko1
  • 4
  • 2
2 Solutions
 
AmirchoupaniCommented:
- First of all if you have standard edition of ISA, then what do you mean by Enterprise default rule? Do you mean Last rule.
- What's the authentication method in your publishing rule?
- Is your ISA joined to your domain?
- What happens if you set All Users in your publishing rule?
0
 
hrybko1Author Commented:
Hi

Thank you for your response

1) Yes I mean the Last Rule ( and yes we are using the Enterprise version)
2) Yes the ISA is joined to the domain
3) Web Publishing rule is set to All Users

Problem is that the rule works SOMETIMES and then it stops working.

Thank you
Howard
0
 
hrybko1Author Commented:
Hi

In case this helps here is a link to the site on a dummy URL http://www.rybko.co.za/

If u click on that and then SERVICES menu link on top right. That link has the real site address, which will bring up my ISA denial message. Note both domains are set up identically in ISA and IIS

Thank you
Howard
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
AmirchoupaniCommented:
You missed this question :)
- What's the authentication method in your publishing rule?

Try Selecting Allow authentication through .... Located in web listener --> authentication --> advanced.
0
 
hrybko1Author Commented:
Hi
Client Authentication is set to No Authentication under the advanced tab for the Listener.

I have added a new domain that is for another client and it behaves the same way.
Thus for some reason the HTTP rule is INTERMITTENTLY refusing connections on port 80 for NEW domains published on the Web Publishing rule.

It is crazy. I can restart the ISA service and the site is browsable no problem. Then after a few mins ISA gives a 403 12202 denied error and both new sites stop working.

I have run logging and see that when the error occurs the Original Client IP address is internal 10.204.0.1 and the error code is either 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
or 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN.
Thus for some reason the request suddenly gets shut down at the HTTP level and does not seem to get to the Web Pub rule.

One other thing - my ISA is part of the domain but sometimes i get an error in the system logs that say that the ISA server could not connect to the domain.

Any help will be appreciated.
Thanks
0
 
hrybko1Author Commented:
OK - Thanks
I have fixed the problem - for now by removing the ISA server from the domain.

Not sure if I should rejoin it now - because most thing seem to be working OK.

Thank you

Howard
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now