locked
ISA 2006 Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administr

    Question

  •  

    I installed and configured ISA 2006 to allow HTTP traffic.  I am unable to access any website other than Microsoft.com.  The following error occurs whenever I try to access a non-Microsoft website. (I can ping any website from the command prompt on the ISA server.)

     

    The page cannot be displayed

    Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

     

    I am not seeing any relevant documentation on Microsoft website. I saw a hot fix that Microsoft sent.  I tried it but it did not work.

     

    I am allowing HTTP traffic, and I am not blocking the websites we want to access. What do I have to do differently on ISA 2006 from what I did on our ISA 2004?   I configured ISA 2006 the same way I did for our working copy of ISA 2004.

     

    • Moved by Kurt FaldeMicrosoft employee Thursday, October 08, 2009 2:55 PM Moving to ISA forum (From:Forefront Client Security Setup and Configuration)
    Thursday, December 13, 2007 9:57 PM

Answers

  • This document does a great job of explaining the Single Adapter scenario.


    http://technet.microsoft.com/en-us/library/bb794774.aspx


    Single Network Adapter Network Template

    You can install Server 2006 on computers with a single network adapter. When you apply the Single Network Adapter network template, the Internal network is configured to contain all IP addresses. You run the wizard and select Apply default Web proxying and caching configuration to apply the Allow Web proxy and caching policy. This policy configures ISA Server to act as a caching router, and allows Web Proxy clients to access Web content on the Internet, and accelerates Web performance through caching. After applying the Single Network Adapter network template, the following network and access rule is applied:

    • Local Host network: 127.0.0.0–127.255.255.255.
    • Internal network: Equals everything else, where everything else is:
      • 0.0.0.1–126.255.255.255
      • 128.0.0.0–255.255.255.254
    • Default access rule: Denies access to all locations.

    When you install ISA Server on a computer with a single network adapter, ISA Server is only aware of two networks: the Local Host network that represents the ISA Server computer itself, and the Internal network, which includes all IP addresses that are not part of the Local Host network. In this configuration, when an internal client browses the Internet, ISA Server sees the source and destination addresses of the Web request as belonging to the Internal network.

    Typically, you will apply the Single Network Adapter network template when another firewall is located on the edge of the network, connecting your corporate resources to the Internet. In this single adapter scenario, ISA Server typically functions as a Web proxy, or cache server, proxying Internet requests from internal clients, and caching content from the Internet for use by clients on the corporate network. When installed on a computer with a single network adapter, ISA Server supports the following scenarios:

    • Forward Web proxy requests using HTTP, HTTPS, or FTP for downloads
    • Cache Web content for use by clients on the corporate network
    • Web publishing to protect published Web or FTP servers
    • Microsoft Office Outlook® Web Access 2003, ActiveSync®, and remote procedure call (RPC) over HTTP publishing

    For more information about deploying ISA Server with a single network adapter, see "Configuring ISA Server on a Computer with a Single Network Adapter" at the Microsoft

    Friday, October 09, 2009 1:44 PM
    Answerer

All replies

  •  

    What kind of configuration did you use? Single Network Adapter? Back Firewall? Front Firewall? Edge Firewall? 3-Leg Perimeter? I found that using the Single Network Adapter Configuration that I had to use a rule to allow traffic from the internal and local networks to the local network to properly allow internet access, not out to the external network as I thought would make more sense.

     

    I hope this helps.

    Thursday, December 13, 2007 11:57 PM
  • I have the same problem , Edge Firewall , two NICs .
    Any Ideas ???


    AMoktar
    Saturday, October 25, 2008 9:44 AM
  • I had the same set up on my ISA server with a single nic and your suggestion fixed right up. From Internal to Internal.... seems a bit strange but I guess with a single nic there's no getting around it.

    I am curious as to the excat working of that particular setup (if any one cares to explain to this newbie)
    Saturday, March 07, 2009 10:51 AM
  • I had the same set up on my ISA server with a single nic and your suggestion fixed right up. From Internal to Internal.... seems a bit strange but I guess with a single nic there's no getting around it.

    I am curious as to the excat working of that particular setup (if any one cares to explain to this newbie)

    I would also like to know cause i have the same setup with only one nic on the isa and to get m email where ever i am in the world or SA would be great
    • Proposed as answer by David Hagerman Thursday, October 08, 2009 12:19 PM
    Wednesday, August 26, 2009 7:06 AM
  • I had the same problem with ISA Server and two network cards. I eventually found this site

    http://www.linglom.com/2008/02/01/getting-started-with-microsoft-isa-server-2006-part-v-configure-http-filter/

    Tha pointed me in the right direction. When I set up ISA 2006 I just selected the NIC instead of looking at the scopes it was adding. I then removed the scopes and added the ones I needed to use, applied the changes and Presto i could access the internet.
    • Proposed as answer by David Hagerman Thursday, October 08, 2009 12:24 PM
    Thursday, October 08, 2009 12:22 PM
  • This document does a great job of explaining the Single Adapter scenario.


    http://technet.microsoft.com/en-us/library/bb794774.aspx


    Single Network Adapter Network Template

    You can install Server 2006 on computers with a single network adapter. When you apply the Single Network Adapter network template, the Internal network is configured to contain all IP addresses. You run the wizard and select Apply default Web proxying and caching configuration to apply the Allow Web proxy and caching policy. This policy configures ISA Server to act as a caching router, and allows Web Proxy clients to access Web content on the Internet, and accelerates Web performance through caching. After applying the Single Network Adapter network template, the following network and access rule is applied:

    • Local Host network: 127.0.0.0–127.255.255.255.
    • Internal network: Equals everything else, where everything else is:
      • 0.0.0.1–126.255.255.255
      • 128.0.0.0–255.255.255.254
    • Default access rule: Denies access to all locations.

    When you install ISA Server on a computer with a single network adapter, ISA Server is only aware of two networks: the Local Host network that represents the ISA Server computer itself, and the Internal network, which includes all IP addresses that are not part of the Local Host network. In this configuration, when an internal client browses the Internet, ISA Server sees the source and destination addresses of the Web request as belonging to the Internal network.

    Typically, you will apply the Single Network Adapter network template when another firewall is located on the edge of the network, connecting your corporate resources to the Internet. In this single adapter scenario, ISA Server typically functions as a Web proxy, or cache server, proxying Internet requests from internal clients, and caching content from the Internet for use by clients on the corporate network. When installed on a computer with a single network adapter, ISA Server supports the following scenarios:

    • Forward Web proxy requests using HTTP, HTTPS, or FTP for downloads
    • Cache Web content for use by clients on the corporate network
    • Web publishing to protect published Web or FTP servers
    • Microsoft Office Outlook® Web Access 2003, ActiveSync®, and remote procedure call (RPC) over HTTP publishing

    For more information about deploying ISA Server with a single network adapter, see "Configuring ISA Server on a Computer with a Single Network Adapter" at the Microsoft

    Friday, October 09, 2009 1:44 PM
    Answerer
  • David,

    It is preferrable to enter the NIC because it actually pulls the information from the routing table on Windows. As long as you have that set up correctly, your Internal Network definition should reflect what your network looks like. If your Internal Network is not defined properly ISA can drop legitimate traffic as spoofed.

    This article is a great reference for that.

    Network Behind A Network (2004) - v1.1

    http://www.isaserver.org/pages/article.asp?id=1278

    Friday, October 09, 2009 1:50 PM
    Answerer
  • Will close this question off - Keith's responses are correct.
    Sunday, December 13, 2009 1:45 PM
    Owner