Sign in
 
HomeProductsLibraryLearnDownloadsSupportForums
Microsoft Forefront TechCenter >
403 Error

Answered 403 Error

  • Friday, June 29, 2012 2:17 PM
     
     
    Sign In to Vote
    0

    I am trying to access a webserver from the internet and am getting 403 Forbidden errors from Forefront TMG 2010. Details on the rule I created are as follows:

    Non-web publishing rule
    Allow
    HTTPS Server
    From Anywhere
    To the internal IP of the server (Requests appear to come from the original client)
    Networks - External - selected an external IP that nothing else uses (which was added to the NIC of the TMG box)
    Schedule - Always

    The TMG box can get to the webserver in question.

    Thanks!

     

All Replies

  • Friday, June 29, 2012 3:45 PM
     
     Proposed Answer
    Sign In to Vote
    0

    Hi,

    in this scenario the published webserver must be a Secure NAT client when you select the Option "Requests appear to come from the original Client".
    BTW: For webserver Publishing I recommend to use the Webserver Publishing feature of TMG instead of the non webpublishing rule

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

     
  • Sunday, July 01, 2012 5:47 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    Thank you for the post.

    Agree with Marc, you may use web publishing rule for your internal web server. And if the issue still retains, please elaborate the publishing rule setting.

    Regards,

    Nick Gu - MSFT

     
  • Monday, July 02, 2012 11:22 AM
     
     
    Sign In to Vote
    0

    Thanks for the post.

    The reason that I am not using a web publishing rule is that the web server that I am using doesn't allow me to export it's private key.

     
  • Tuesday, July 03, 2012 3:57 AM
     
     Answered
    Sign In to Vote
    0

    A server publishing rule for protocol 'HTTPS-Server' is more than fine in scenarios where you cannot import the certificate into the TMG box properly (which makes web publishing a real pain).

    The issue here was that the server publishing rule was not going into effect because of port binding issues cause by other rules/protocols in the firewall policy.  There were several other rules that were inadvertantly created that published port 443 across all external IP addresses, as opposed to specific IPs on the external network.  Once these were all cleared up, the firewall services were bounced and no more port binding issues appeared in the Application log whenever the Firewall services were changed.  The rule worked expected at this point.  (Netstat -an | find "443" also finally showed the TMG box listenining on the individual external IP address for 443)

    • Marked As Answer by TMERL Saturday, July 07, 2012 4:14 AM
    •