hrybko1
asked on
ISA 2006 Intermittent Denial of authourized URL by Web Publishing Rule
Hi
We have a standard ISA 2006 server running on a Server 2003 platform with a Core II Duo processor and 2GB of RAM.
The ISA is used mainly for web publishing and we run a number of web sites behind the ISA server. This has been running and stable for the lats 2 years,
Problem: We have new domain which has been registered as a Public Name in the usual way. However the ISA Server intermittently denies the URL with the following error:
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Based watching the logging reports the URL is denied by the [Enterprise] Default Rule. This seems to indicate that the URL has bypassed all other rules IE not been applicable - and then has been stopped by the final rule.
However sometimes the Web Publishing Rule works and the site comes up normally. Then after a few mins of browsing the site the above error pops up.
I have also linked another test URL to the same IIS site and published its Public Name and it works fine!
We have tried everything, Recreated the site in IIS. Mapped different content and added and removed the Public name a hundred times. Just when it seems to be running OK again, bang! the error pops up again.
Please can someone help.
Thank you
Howard
Syncrony.com
We have a standard ISA 2006 server running on a Server 2003 platform with a Core II Duo processor and 2GB of RAM.
The ISA is used mainly for web publishing and we run a number of web sites behind the ISA server. This has been running and stable for the lats 2 years,
Problem: We have new domain which has been registered as a Public Name in the usual way. However the ISA Server intermittently denies the URL with the following error:
Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Based watching the logging reports the URL is denied by the [Enterprise] Default Rule. This seems to indicate that the URL has bypassed all other rules IE not been applicable - and then has been stopped by the final rule.
However sometimes the Web Publishing Rule works and the site comes up normally. Then after a few mins of browsing the site the above error pops up.
I have also linked another test URL to the same IIS site and published its Public Name and it works fine!
We have tried everything, Recreated the site in IIS. Mapped different content and added and removed the Public name a hundred times. Just when it seems to be running OK again, bang! the error pops up again.
Please can someone help.
Thank you
Howard
Syncrony.com
ASKER
Hi
Thank you for your response
1) Yes I mean the Last Rule ( and yes we are using the Enterprise version)
2) Yes the ISA is joined to the domain
3) Web Publishing rule is set to All Users
Problem is that the rule works SOMETIMES and then it stops working.
Thank you
Howard
Thank you for your response
1) Yes I mean the Last Rule ( and yes we are using the Enterprise version)
2) Yes the ISA is joined to the domain
3) Web Publishing rule is set to All Users
Problem is that the rule works SOMETIMES and then it stops working.
Thank you
Howard
ASKER
Hi
In case this helps here is a link to the site on a dummy URL http://www.rybko.co.za/
If u click on that and then SERVICES menu link on top right. That link has the real site address, which will bring up my ISA denial message. Note both domains are set up identically in ISA and IIS
Thank you
Howard
In case this helps here is a link to the site on a dummy URL http://www.rybko.co.za/
If u click on that and then SERVICES menu link on top right. That link has the real site address, which will bring up my ISA denial message. Note both domains are set up identically in ISA and IIS
Thank you
Howard
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi
Client Authentication is set to No Authentication under the advanced tab for the Listener.
I have added a new domain that is for another client and it behaves the same way.
Thus for some reason the HTTP rule is INTERMITTENTLY refusing connections on port 80 for NEW domains published on the Web Publishing rule.
It is crazy. I can restart the ISA service and the site is browsable no problem. Then after a few mins ISA gives a 403 12202 denied error and both new sites stop working.
I have run logging and see that when the error occurs the Original Client IP address is internal 10.204.0.1 and the error code is either 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
or 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN.
Thus for some reason the request suddenly gets shut down at the HTTP level and does not seem to get to the Web Pub rule.
One other thing - my ISA is part of the domain but sometimes i get an error in the system logs that say that the ISA server could not connect to the domain.
Any help will be appreciated.
Thanks
Client Authentication is set to No Authentication under the advanced tab for the Listener.
I have added a new domain that is for another client and it behaves the same way.
Thus for some reason the HTTP rule is INTERMITTENTLY refusing connections on port 80 for NEW domains published on the Web Publishing rule.
It is crazy. I can restart the ISA service and the site is browsable no problem. Then after a few mins ISA gives a 403 12202 denied error and both new sites stop working.
I have run logging and see that when the error occurs the Original Client IP address is internal 10.204.0.1 and the error code is either 0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
or 0x80074e21 FWX_E_ABORTIVE_SHUTDOWN.
Thus for some reason the request suddenly gets shut down at the HTTP level and does not seem to get to the Web Pub rule.
One other thing - my ISA is part of the domain but sometimes i get an error in the system logs that say that the ISA server could not connect to the domain.
Any help will be appreciated.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
- What's the authentication method in your publishing rule?
- Is your ISA joined to your domain?
- What happens if you set All Users in your publishing rule?