locked
ISA 2004 Blocking External Traffic to Published Web RRS feed

  • Question

  • We have two load balancing ISA 2004 (SP 3) firewall servers that perform secure NAT for our domain. On another server behind them in the same domain is a site published through IIS 6 on port 80 with anonymous authentication authorized. Internal network users are able to access the site without any problems.

    On both ISA's there is a web server publishing rule authorizing inbound traffic to the published web. A DNS entry at the firewall points the external NIC IP address to the FQDN of the site. A web listener that permits inbound port 80 traffic from all sources is tied to the web publishing rule.

    The rule forwards the original host header (FQDN of site) with "Requests appear to come from the ISA server". Besides the FQDN of site I have also tried the FQDN of the site hosting server, and the IP of the site hosting server, with no change in result.

    I have tried every combination of settings I can think of but cannot get external traffic through to the site, then restarted the MS Firewall service in between changes with no luck. The error returned is 403 Forbidden (12202).

    Logging for site requests doesn't appear to function properly either. In the ISA snap in I created a logging filter for this site and after running the query it does not return any information. After we installed SP 3 it fixed some problems in which internal users were being denied access to web sites with "non-standard headers", but it also introduced some other quirky issues, among which are that after restarting the server, about a dozen of the services set to start automatically fail to start and have to be started manually with a local administrator log in.

    Internal traffic to outside networks on port 80 works fine, it is just the external requests to our published site that is being blocked. There are no restrictions of any sort in the ISA snap in settings for this web publishing rule, and "Always Authenticate" is set to "No".

    I know these issues are hard to diagnose from a distance, but I have run out of ideas on how to make ISA cooperate, and any insight or tips as to what I could possibly be overlooking are greatly appreciated. Thanks.

    Tuesday, June 8, 2010 1:16 PM

Answers

  • My apologies, someone directed me here...however this can be moved or deleted as I finally resolved this.

    The solution was in the web server publishing rule to uncheck the box, "Forward the original host header instead of the actual one"

    I had always left this checked because it is also checked in our OWA publishing rule and that rule works. So I thought it should have to be checked for the port 80 publishing rule as well, but no.

    Thanks all.

    Tuesday, June 8, 2010 3:44 PM

All replies

  • Hi,

    this is a Forefront client security forum, ISA related question sould be posted here http://social.technet.microsoft.com/Forums/en-US/FTMGNext/threads

    Thanks in advance.


    Bechir Gharbi. MCSA, MCSE M+S, MCITP Server/Enterprise Administrator, MCT, MCTS Configuration Manager/Forefront (Time Zone : GMT+1)
    Tuesday, June 8, 2010 3:01 PM
  • My apologies, someone directed me here...however this can be moved or deleted as I finally resolved this.

    The solution was in the web server publishing rule to uncheck the box, "Forward the original host header instead of the actual one"

    I had always left this checked because it is also checked in our OWA publishing rule and that rule works. So I thought it should have to be checked for the port 80 publishing rule as well, but no.

    Thanks all.

    Tuesday, June 8, 2010 3:44 PM