0

I have an ISA Server 2006 Enterprise Edition NLB array and, intermittently, users connecting through one of the two servers get an ISA Server 403 (Forbidden) error message:

Technical Information (for support personnel)

* Error Code: 403 Forbidden. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
* IP Address: [IP address of public web server
* Date: 6/17/2009 4:07:28 PM [GMT]
* Server: [DNS name of ISA server - always the same one]
* Source: proxy

The exact address that I get them on varies a lot.

I think that the problem is that it's connecting to the other member of the array to access these sites and isn't able to pass the authentication through (users are required to authenticate to access any website), but I have no idea where to even start to enable the authentication.

Richard Gadsden
  • 3,696
  • 4
  • 28
  • 58

2 Answers2

1

I had authentication set up wrongly - the authentication settings for web proxy on the intra-array network must be the same as the authentication settings on the internal network.

However, the servers shouldn't have been connecting through one another to the internet in the first place.

That issue - the much more important one - was a problem with the binding order of the network adapters. Those nice Microsoft people have a fix.

Richard Gadsden
  • 3,696
  • 4
  • 28
  • 58
  • Oh yeah, I forgot about the binding order. When I was walking through an in-depth session with an ISA expert that was one of the first things he told me. – Aaron Weiker Jun 29 '09 at 14:16
0

Is the same sort of authentication being used on each of the web hosts. It could be that one is using BASIC and the other is using Windows/NTLM and that is not getting passed through ISA. So check and re-check the IIS configuration to make sure that they are identical. You could also try exporting it on the working server and importing it on the non-working. (first delete the non-working site and import by creating a new site).

Aaron Weiker
  • 686
  • 1
  • 5
  • 10
  • IIS isn't installed on ISA servers. – Richard Gadsden Jun 23 '09 at 09:28
  • I would still double check the web server configuration as it sounds very similar to a situation I had just the other day where authentication prompts would get suppressed if ISA was not configured to pass it through. – Aaron Weiker Jun 23 '09 at 14:58
  • What web server? These are internal users connecting to web servers on the internet - e.g. bbc.co.uk. I can't check the config on those servers! – Richard Gadsden Jun 25 '09 at 10:41
  • I think I was misreading your question. I was seeing it as you were using ISA to create a NLB farm that you were then publishing. Are you saying that you are using ISA in a NLB environment to act as a proxy server to the internet and that one of your ISA servers is acting sporatic. In this case, I'm not sure and would contact PSS if that is an option. – Aaron Weiker Jun 25 '09 at 14:45
  • Yep, and I have cracked it - see my own answer. – Richard Gadsden Jun 29 '09 at 10:52