ISA Server 2000 Feature Pack 1

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft ISA Server 2000 Feature Pack 1, Version 1

The following are common issues associated with Web publishing on ISA Server. After you correct your configuration based on one of the issues, test Web publishing to see if the problem has been resolved.

On This Page

Determine the General Source of the Problem
Web Listener Issues
ISA Server Web Publishing Issues
IIS Issues
SSL Certificate Issues

Determine the General Source of the Problem

Consider these questions:

  1. Is the Web site directly accessible? Try bypassing the ISA Server computer to see if the Web site is accessible. If it isn't, then the primary issue is not the ISA Server computer, but is related to the Web server and IIS.

    The easiest way to test this is to open Internet Explorer (IE) on the ISA Server computer, and on the Tools menu, click Internet Options. On the Connections tab, click LAN Settings, and make sure that the Use a proxy server option is not selected. Then, try to access the Web site from IE on the ISA Server computer.

  2. Does the Web site name on the internet resolve to an IP address on the ISA Server computer's external network adapter? If not, this is a DNS issue. Contact the administrator of the DNS server to set the Internet DNS to resolve the Web site to point to the external network adapter of ISA. If an Internet service provider hosts your DNS zone you will have to contact them to get this problem fixed. You can test this by using the nslookup utility to figure out what the site name is resolving to. For more information about nslookup see MSDN or Windows help.

  3. When you connect to the Web site, do you receive an Error 403 page? This indicates that the connection to the external IP of the ISA Server computer has succeeded. The issue will therefore be an ISA Server Web publishing issue or an IIS issue.

  4. When you connect to the Web site, do you receive a Connection to server failed message? This is likely related to one of the ISA Server Web listener issues.

  5. When you connect to the Web site, do you receive a 500 Internal Server Error page? This indicates that there is likely a problem with the SSL certificate on the Web server.

Web Listener Issues

Consider these questions:

  1. Is the w3svc service running on the ISA Server computer? This is the service used by IIS to publish Web servers. Do not run this service on the ISA Server computer, as it will cause a conflict on port 80. If you are publishing a Web site that is located on the ISA Server computer, you must configure ISA Server to listen on a port other than port 80. For more information, see the document "Publishing a Web Server Located on the ISA Server."

  2. Is incoming Web traffic allowed on ISA Server? You can check this by using the netstat utility, which will show if the external network adapter is listening on port 80.

    To use netstat, type netstat -an at a command prompt on the ISA Server computer. If your Web listener is properly configured, the output will look like this:

    3. 



C:>netstat -an


Active Connections
Proto   Local Address   Foreign Address   State


TCP    192.168.0.1:80    0.0.0.0:0    LISTENING



In this netstat output, 192.168.0.1:80 indicates that the external IP address of the ISA Server computer is listening on port 80. Verify that the external IP address of your ISA Server computer is listening on port 80. If you are publishing a Web site that is located on the ISA Server computer, you must configure ISA Server to listen on a port other than port 80, and that is the port that will be displayed in the netstat output.

If this is not the case, you did not correctly configure a Web listener. To configure a Web listener, see the Web listener step in the scenario documentation.



ISA Server Web Publishing Issues


Consider these questions:


    

  1. Does the Web site name on the Internet resolve to an IP address on ISA Server computer's external network adapter? Contact the administrator of the DNS server to set the Internet DNS to resolve the Web site to point to the external network adapter of ISA Server.
    

    2. 

  2. Is the value in the destination set used in the Web publishing rule the same as what a user would type into a browser? Set the destination set to match the public name that an external user specifies to access the Web site, such as www.adatum.com. This should be the full qualified domain name for the Web server.
    

    3. 

  3. In the Action tab of a Web publishing rule, is the internal server specified by the IP address or the fully qualified domain name (FQDN)? Use only an IP address or FQDN based names. This name is the internal name of the Web site, and is not related to the destination set.
    

    4. 

  4. Is the destination set name identical to the FQDN of the hosted Web server? This could lead to a situation where the ISA Server sends the request to its own external network adapter, rather than to the Web server. To avoid this, on the Action tab of the Web publishing rule, use the IP address to refer to the internal Web site, rather than the FQDN.
    

    5. 

  5. Are the SSL bridging settings appropriate for your Web publishing setup? Compare your settings to those prescribed in the scenario documents.
    

    6. 

  6. Is there a routing rule that redirects to an upstream server requests for the Web publishing destination set (or requests for all destination sets)? If so, create a new routing rule specific to the Web publishing destination set, selecting the Action option Retrieving them directly from the specified destination. Routing rules are ordered, so this new rule must precede the one that redirects to an upstream server.
    

    7. 

  7. Are you requiring authentication on both the ISA Server computer and the Web server? Authenticate only on the ISA Server computer.
    

    8. 

  8. Can Web responses bypass ISA Server when returned to the external client? Make sure that your Web server can only return responses through ISA Server, and not through some other route. If the response is not through ISA Server, the requesting client will not recognize the source of the response, and it won't be accepted. To test whether the response is through ISA Server, run the tracert command-line utility on the Web server using any external Web site name, and see it ISA Server is listed as one of the hops. At a command prompt type tracert <site name> (for example, tracert www.adatum.com).
    

    9. 



IIS Issues


Consider this question:


    

  1. Is IIS configured to use host headers? This is a setting you configure when you create a new IIS Web site. The IIS default is to not use host headers, and this is preferable for ISA Server Web publishing. If you configured IIS to use a specific host header, take one of these actions:
    

      

    • Change IIS to not expect a specific host header.
      

      • 

    • Change the header required by IIS to be the one expected from ISA Server.
      

      • 

    • Select the Web publishing rule option Send the original host header to the publishing server instead of the actual one (specified above), as described in the Web publishing scenario documents.
      

      • 

    

    2. 



For information on how to change the host header requirements, see IIS documentation.


For general IIS troubleshooting information, see Windows 2000 Help.


SSL Certificate Issues


Consider this question:


    

  1. Is there a certificate validity problem for the certificate on the internal Web server? Any one of the following problems will result in the Web client receiving a 500 Internal Server Error page:
    

      

    • The certificate on the internal Web server is not valid on the date of the request
      

      • 

    • The Certificate Authority for the internal Web server is not trusted.
      

      • 

    • The server name or IP address provided on the Web publishing rule Action tab does not match the name on the certificate.
      

      • 

    

    The first two problems are related to the validity of the certificate, and can be solved by ensuring that the certificate is current and that it is issued by a trusted certificate authority. The third problem can be resolved using one of the following approaches:
    

      

    • Obtain a new certificate that matches the name on the server
      

      • 

    • Change the server name on the Web publishing rule Action tab to match the name on the certificate, and configure the local DNS server to map that name to the internal Web server
      

      • 

    • Change the server name on the Web publishing rule Action tab to match the name on the certificate. On the ISA Server computer, in the file WINNT\system32\drivers\etc\hosts, add a mapping from the certificate/ Action tab-name to the IP address of the internal Web server.
      

      • 

    

    2. 



The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, places, or events is intended or should be inferred.