Solved

ISA 2004 - with windows 2003 server SP2,  Error Code 502 Proxy The ISA Server denied specified Uniform Resource Locator URL 12202

Posted on 2009-07-06
2
1,713 Views
Last Modified: 2012-06-27
Dear all we are facing problem with the ISA server 2004 installed on Windows 2003 Server with Service pack 2.
The ISA server is connected behind a PIX 525 Firewall as follows
INTERNET ----- PIX 525 ----SWITHC REAL IP
             |
             |
             |
             |

         DMZ    ZONE--------------- ISA SERVER

Since past 2 days we are facing some issues with the browsing, the hotmail, Gmail & yahoo mail cannot be opened, its giving us the following error,

X
      Network Access Message: The page cannot be displayed

      Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

Try the following:
"      Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
"      Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
"      Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.
If you are still not able to view the requested page, try contacting your administrator or Helpdesk.

      Technical Information (for support personnel)
"      Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
"      IP Address: 10.0.1.108
"      Date: 7/7/2009 5:57:07 AM
"      Server: fw01.kfsh.med.sa
"      Source: proxy
No configuration changes were done in past two weeks, suddenly this problem started, if we browse directly without the ISA server everything seems to be fine.
Please help me to solve this issue, also our ISA VPN is not working

Alert Information
Description: ISA Server detected routes through the network adapter Internal that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 30.0.0.0-30.0.1.255;50.0.0.0-50.0.1.255;10.0.8.0-10.1.255.255;10.2.2.0-10.3.255.255;10.4.2.0-10.5.255.255;10.6.2.0-10.7.255.255;10.8.2.0-10.9.255.255;10.10.2.0-10.11.255.255;10.12.2.0-10.13.255.255;10.14.2.0-10.15.255.255;10.16.2.0-10.17.255.255;10.18.2.0-10.19.255.255;10.20.2.0-10.21.255.255;10.22.2.0-10.23.255.255;10.24.2.0-10.25.255.255;10.26.2.0-10.27.255.255;10.28.2.0-10.29.255.255;10.30.2.0-10.31.255.255;10.32.2.0-10.33.255.255;10.34.2.0-10.35.255.255;10.36.2.0-10.37.255.255;10.38.2.0-10.39.255.255;10.40.2.0-10.41.255.255;10.42.2.0-10.43.255.255;10.44.2.0-10.45.255.255;10.46.2.0-10.47.255.255;10.48.2.0-10.48.255.255;10.49.2.0-10.49.255.255;10.50.2.0-10.51.255.255;10.52.2.0-10.53.255.255;10.54.2.0-10.55.255.255;10.56.2.0-10.57.255.255;10.58.2.0-10.69.255.255;10.70.2.0-10.89.255.255;10.90.2.0-10.255.255.254;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
<br>ISA Server detected routes through the network adapter External that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.0.8.0-10.1.255.255;10.2.2.0-10.3.255.255;10.4.2.0-10.5.255.255;10.6.2.0-10.7.255.255;10.8.2.0-10.9.255.255;10.10.2.0-10.11.255.255;10.12.2.0-10.13.255.255;10.14.2.0-10.15.255.255;10.16.2.0-10.17.255.255;10.18.2.0-10.19.255.255;10.20.2.0-10.21.255.255;10.22.2.0-10.23.255.255;10.24.2.0-10.25.255.255;10.26.2.0-10.27.255.255;10.28.2.0-10.29.255.255;10.30.2.0-10.31.255.255;10.32.2.0-10.33.255.255;10.34.2.0-10.35.255.255;10.36.2.0-10.37.255.255;10.38.2.0-10.39.255.255;10.40.2.0-10.41.255.255;10.42.2.0-10.43.255.255;10.44.2.0-10.45.255.255;10.46.2.0-10.47.255.255;10.48.2.0-10.48.255.255;10.49.2.0-10.49.255.255;10.50.2.0-10.51.255.255;10.52.2.0-10.53.255.255;10.54.2.0-10.55.255.255;10.56.2.0-10.57.255.255;10.58.2.0-10.69.255.255;10.70.2.0-10.89.255.255;10.90.2.0-10.255.255.254;30.0.0.0-30.0.1.255;50.0.0.0-50.0.1.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

Open in new window

ISA-Error.jpg
hotmail-error.jpg
KFSH-Internet-Architecture.jpg
0
Comment
Question by:yasirirfan
2 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 270 total points
ID: 24795120
ISA is actively deniing the page.  So something changes somewhere even if you don't know it happened.
"fw01.kfsh.med.sa" does not look like anything related to hotmail, gmail, or yahoo mail to me, but I could be wrong.
The live monitoring log will show the Denies and they will show the Rule that is doing it.
If the Rule is the "Default Rule" then it just means that no "allow" rule anywhere in your Rule List matches the traffic that ISA see.  If no rule on the list match the traffic the traffic is automatically stopped by the Default Rule,...it is the same idea as the Implicit Deny that Cisco products use.
The Alert listed can usually be ignored with Remote Access VPN Clients.  There is a breif period of time where the VPN Users received IP# is dynamically switched from the Internal Network to the VPN Users Network,...that mild delay is sometimes enough to cause a false positive with that alert.
As far as the VPN not working,...can't help there.  Just having "it doesn't work" is not enough detail to work with.  Probably should focus on the other problems first.
0

Featured Post

ScreenConnect 6.0 Free Trial

Want empowering updates? You're in the right place! Discover new features in ScreenConnect 6.0, based on partner feedback, to keep you business operating smoothly and optimally (the way it should be). Explore all of the extras and enhancements for yourself!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question