[isalist] Re: Publishing in ISA2006
- From: "Gerald G. Young" <g.young@xxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Thu, 1 Feb 2007 09:03:18 -0500
Then again,
Maybe not.
Found this… not sure if you’ve already been down this road or not but the
symptoms do fit what you have below, although the situation does not.
Looking in the logs I see the client connecting to ISA but not getting
redirected to a web server in the farm. ISA sees them trying on port 80, says
there was a failed connection attempt, and gives me an http status code of
12241. I can't find the definition of that status code anywhere."
After some research, Calvin found this answer:
"I finally got this fixed. Turns out it is related to a bug in the Link
Translation module. I'm not 100% sure how that plays in since I am actually
using the redirection option but it must use something from link translation to
redirect the user. There is a hotfix #927265 that fixes the problem. If anyone
else is seeing this though, that hotfix is not released publicly yet so you
have to contact Microsoft support to get the download.
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Gerald G. Young
Sent: Thursday, February 01, 2007 8:48 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Dan,
Check the web server/site configuration (in IIS if a Windows box). It does
sound like the SSL requirement is set there.
“The page must be viewed over a secure channel (Secure Sockets Layer (SSL))”
I also see the first line of the log below saying that the attempt to connect
over 80 failed but it went through ISA just fine.
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Ball, Dan
Sent: Thursday, February 01, 2007 8:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
Okay, so it is rule-based, that narrows down the troubleshooting
significantly…
When I ditch the “must use HTTPS” option in the listener (I cannot do it in
the rule), I get this these three log entries when trying to access the website:
HTTP Status Code
Cache Information
Error Information
Log Record Type
Authentication Server
Log Time
Destination IP
Destination Port
Protocol
Action
Rule
Client IP
Client Username
Source Network
Destination Network
HTTP Method
URL
12241 The page must be viewed over a secure channel (Secure Sockets Layer
(SSL)). Contact the server administrator.
0x0
0x0
Web Proxy Filter
1/30/2007 10:18:58 PM
24.213.58.250
80
http
Failed Connection Attempt
Web Server
75.128.225.6
anonymous
External
GET
http://www.mapsnet.org/
0x0
0x0
Firewall
-
1/30/2007 10:18:58 PM
24.213.58.250
80
HTTP
Closed Connection
75.128.225.6
External
Local Host
-
-
0x0
0x0
Firewall
-
1/30/2007 10:18:58 PM
24.213.58.250
80
HTTP
Initiated Connection
75.128.225.6
External
Local Host
-
-
And when I say I cannot disable the option in the rule, this is why:
I’ve recreated this rule many times, and the web publishing wizard always
grays out the options that seem to be relevant…
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Thursday, February 01, 2007 12:32 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Publishing in ISA2006
The rule, not the website is returning that result.
12211 is an ISA; not an IIS response code.
You get this in your ISA logs because your rule is configured this way.
Your rule reacts this way because you told it to.
Users get a 403 because their request doesn’t match ISA policy requirements.
Ditch the “must use HTTPS” option in the rule and troubleshoot the
rule-based denial.
All mail to and from this domain is GFI-scanned.
Other related posts:
