An HTTP 403 was Received Because ISA Denied the Specified URL
Topic Last Modified: 2009-11-17
The Microsoft Remote Connectivity Analyzer sends an HTTP request and validates the response it receives to verify connectivity. If the entry point to the Exchange Server is an ISA server, and the publishing rules on the ISA server aren't configured correctly, then ISA can send an HTTP 403 Forbidden response. If ISA sends an HTTP 403 response, then the Microsoft Remote Exchange Connectivity tool displays the following message:
"The server denied the specified Uniform Resource Locator (URL)."
End users can't successfully connect to Exchange applications and services.
For More Information
There can be multiple reasons for this error with the most likely being a misconfigured ISA server.
Note
If using ISA 2000, we recommend upgrading to ISA 2006. If upgrading is not an option, then on the OWA web publishing rule you must remove all Path entries and replace it with only "/*".
To correct this error
Follow the steps in Microsoft Knowledge Base article, How to publish a Microsoft Exchange server for Outlook Web Access in ISA Server 2006, in ISA Server 2004, or in Microsoft Forefront Threat Management Gateway, Medium Business Edition.
If you have applied the steps from the preceding article and are still receiving the error, see Microsoft Knowledge Base article A user cannot access a Web site that is published in ISA Server 2006 by using Kerberos constrained delegation if the user is not in the same domain as the ISA Server computer and Error message when a user visits Web site that is published by using Microsoft ISA Server together with client certificate authentication: Error Code: 403 Forbidden.
If the entry point to your Exchange Server is ISA Server 2006, then check the publishing rule to determine whether the rule is configured to disallow all authentications. Go to the Delegation tab and view the drop-down list under Method used by ISA Server to authenticate to the published Web server. The option No delegation and Client may not authenticate directly disables any authentication on the rule. Since all Exchange services require some type of authentication, choose a different delegation method from the drop-down menu that suits your environment.
Note
This issue can also be related to a problem with the destination set. Verify that the destination set points to the external IP address.
Example:
Destination Set Name: OWA
Description: Outlook Web Access
SingleIP: <internal IP of Exchange server> (change to external IP on ISA)
Path: /exchange*
SingleIP: <internal IP of Exchange server> (change to external IP on ISA)
Path: /exchweb*
SingleIP: <internal IP of Exchange server> (change to external IP on ISA)
Path: /public*
The Microsoft Remote Connectivity Analyzer has limited documentation currently. To improve the documentation for each of the errors you might receive, we would like to solicit additional information from the community. Use the Community Content section to post other reasons why you failed at this point. If you need technical assistance, create a post in the appropriate Exchange TechNet forum or contact support.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for