RE: 403 Forbidden

• From: "Doige, Clayton" <clayton.doige@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 18 Oct 2005 22:42:12 +0100

OK, OK, letting my frustrations rule the Vulcan mindset. I put the public name 
as an IP Address that is associated with the public interface of the ISA, which 
in this case is a DMZ IP of 10.*.*.*, and that does not work. I thought this 
would work as the external firewall is doing dynamic NAT from the public IP 
which will remain secret to protect my short comings that seem to be readily 
apparent here. I can open that website via IP directly from the ISA server 
itself.
 
So, as that did not work, I tried giving the Public Name the IP Address that 
the external firewall, a Watchguard Firebox X 1000 with Fireware Pro software 
(does all sorts of whizzy loadbalancing amongst multiple ISP's that I am not 
using yet) and this still does not work.
 
I very much appreciate your taking the time to help me out here, so ask away to 
clarify what the heck I am doing wrong. For the sake of clarity, I am going to 
make some IP Addresses up to try an illustrate the settings I have in place, 
and I will sub reserved IP's for what I am actually using (assume a 24 bit 
mask).
 
Firebox X 1000 Public IP 192.168.0.1 NATS  HTTP to 192.168.1.1.
ISA 2004 External IP 192.168.1.1
HTTP Publishing Rule Public Address 192.168.1.1
To Web Server Address:  192.168.2.1
The listener is therefore configured to listen on 192.168.1.1 and pass this to 
192.168.2.1 
 
Combined with the settings in my earlier posts does this give you an idea of 
what I have set, and what might be missing? I am trying to access the site from 
a remote site that has no physical connectivity to my test bed other than on 
the public net. I have also tried to access the site directly through the ISA 
from (for example) 192.168.1.5, and get the same result, thus the X 1000 is not 
the issue.
 
So, 192.168.0.1 should take you to 192.168.2.1. 
 
I have created a simple rule for the RDP protocol which works in the above 
scenario perfectly, and if I did the same with the HTTP protocol I am sure it 
would work a treat, but as soon as I invoke the web listener, I have this issue.
 
Ultimately, I am having the same issues getting OWA with forms based 
authentication on this test bed, so am hoping a simple unsecure, non ssl http 
solution will get me where I want to go with the OWA as I need to get this 
working for many a reason.
 
If I were to do anything with this kit, aside from the Coyote thing, it would 
be to install it at home as a nice movie storage location, given the three 72 
GB 15000 rpm drives in the thing LOL. 
 
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
v
SPLAT!!!!!!!!
 
Thanks again
 
Clayton

________________________________

From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Tue 18/10/2005 18:20
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 403 Forbidden



http://www.ISAserver.org

Yep - blame the machine for the operator actions.
If you want to toss the hardware, I'll gladly pay shipping so long as it 
doesn't get "sidewalked" first.
You're still being too general in your description of the problem.
You failed to provide:
- the *exact* URL used in testing.
As I pointed out in my first response, the "public names" *must* include the 
host name from the URL you're using.
Since you won't tell anyone what the *exact* test URL is, well; you know the 
rest.


-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------

________________________________________
From: Doige, Clayton [mailto:clayton.doige@xxxxxxxxxxx]
Sent: Tuesday, October 18, 2005 09:45
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 403 Forbidden

http://www.ISAserver.org
Sorry to reply to my own, but I am going to have a serious humour bypass with 
this stupid server and jettison out of our 8th floor window soon ;-)
 
Off of the Forum on isaserver.org I found topic 89 I believe, which refers to 
this problem.
 
I followed jdl's advice in that topic and set the Public name to the external 
IP Address of the ISA Server, and set it to forward original host header, and 
to appear to come from original client and no go. What gives with this stupid 
piece of software? The settings on the rule and listener are now as follows:
 
Action Tab: Set to allow
From Tab: set to External
To Tab: internal IP Address of tsweb farm
Traffic Tab: HTTP only
Listener Tab: Listener I created listens on port 80 only and uses no 
authentication
Public Name Tab: public ip address of ISA Server
Paths Tab: set to /tsweb (as per the documentation for TSWEB)
Bridging Tab: Web server is selected with redirect http to port 80
Users Tab: is currently all users
Schedule Tab: always
Link Translation Tab: nothing configured
 
Please help, as there is a DL380 with it's life in serious jeopardy here, can 
you imagine the carnage of one of these babies hitting the sidewalk from 8 
stories up? It would be worse than the Coyote in any given Road Runner episode 
you care to name.
 
Clayton Doige
IT Project Manager
CME Development Corporation
T: 020 7430 5355
M: 07932 653787
E:clayton.doige@xxxxxxxxxxx
W:www.cetv-net.com
________________________________________
From: Doige, Clayton [mailto:clayton.doige@xxxxxxxxxxx]
Sent: 13 October 2005 15:04
To: [ISAserver.org Discussion List]
Subject: [isalist] 403 Forbidden
 
http://www.ISAserver.org
Hi all, I have set up a network load balanced Terminal Services farm in a test 
situation (Windows 2003 Standard SP1). I have also installed the TSWEB 
component. This works great internally, however, when I am attempting to 
connect to this through the ISA 2004 Firewall I get 403 Forbidden. The server 
denied the specified URL, blah blah blah (12202)
 
The rule I have set on the ISA Server has the following properties:
 
Action Tab: Set to allow
From Tab: set to External
To Tab: netbios name of the network loadbalancer, with 'Request appear to come 
from ISA' selected
Traffic Tab: HTTP only
Listener Tab: Listener I created listens on port 80 only and uses integrated 
authentication
Public Name Tab: currently set to all requests
Paths Tab: set to /tsweb (as per the documentation for TSWEB)
Bridging Tab: Web server is selected with redirect http to port 80
Users Tab: is currently all users
Schedule Tab: always
Link Translation Tab: nothing configured
 
Am looking up things on the mskb, and it looks like an asp error in IIS, but 
was wondering if anyone might be able to shed some light on what is occurring 
here?
 
TIA
 
Clayton Doige
IT Project Manager
CME Development Corporation
T: 020 7430 5355
M: 07932 653787
E:clayton.doige@xxxxxxxxxxx
W:www.cetv-net.com
 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
clayton.doige@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
clayton.doige@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

• » 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden
• » RE: 403 Forbidden

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page
• » View list details
• » Manage your subscription