Archive for September, 2008
A common error generated by ISA seems to cause a great deal of confusion and frustration for people who don’t work with ISA on a regular basis. However, this is actually one of the easiest issues to identify and then resolve with ISA. The exact error message that is seen in the browser is:
403 Forbidden - The server denies the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Internet Security and Acceleration Server
What this means, simply, is that the server address entered into the browser does not match the web site name that ISA is expecting. An easy way to see this for yourself is to try to access the Remote Web Workplace of an SBS box by entering the address as https://ipaddress/remote instead of https://site.domain.com/remote (provided that you have your SBS box configured to use site.domain.com as the public address). Boom, instant 403 Forbidden error.
So how can you tell what URL ISA is expecting to get from the browser? Also easy. Once you get the 403 Forbidden page, click on the Certificate Error tag in the browser address bar (you will always get a certificate error in this condition, by the wat) and view the certificate. The address in the certificate is what ISA is expecting to see. This is because ISA actually advertises the public certificate in the web listener to decrypt the incoming SSL transmission from the client. When it decrypts the transmission, if the URL it’s listening for does not match the URL that was requested, the connection is refused and ISA returns the 403 Forbidden error.
A common mistake made by those new to SBS is entering the wrong name for the SSL in the Connect to the Internet wizard. In a non-ISA setup, this will work, but it’s still wrong. The reason it works is that users can still bypass the Invalid Certificate warning that they see in IE. Only in this case, the invalid certificate warning is generated because the name on the certificate does not match the URL entered. Many times I’ve seen people enter the internal name of the server in the SSL certificate field of the CEICW, and by pure happenstance it hasn’t been a problem for them. Until ISA gets in the mix. ISA will not redirect traffic to the internal web site if the requested URL does not match the URL that ISA is advertising.
The best solution for ensuring that ISA is working correctly is to acquire and install a valid third party SSL certificate on the SBS server, then instruct your users to never go through to a site that lists an invalid certificate. Steps for requesting and installing a third party SSL cert for ISA on an SBS box can be found at the Official SBS Blog.