Requests sent to UAG array member return “Access is denied”

 

This is a very interesting issue that can be difficult to recognize and diagnose as everything seems to be “OK”. Let’s outline this simple scenario. You have a standalone UAG server. The server may be configured with one or more portals, each containing one or more web applications. Everything is working fine with this deployment. You then decide to create an array. You configure the existing UAG server as the Array Manager and specify the member that will join. You then join the new UAG server to the array. Everything looks good. Then you find the following…

Symptoms:

After successfully adding a new member to a UAG array, you may find that all client requests that are directed to the new array member receive the following error:

Server Error

403 – Forbidden: Access is denied

You do not have permission to view this directory or page using the credentials that you supplied

More information:

The reason this issue can be difficult to diagnose is that you may be hard pressed to find anything actually “wrong”. When you added the new member to the array, there were no errors during the joining process. Everything looked good.

After the “seemingly” successful array join, you can Activate the configuration on the Array Manager and there are no apparent errors. Additionally, if you launch the TMG Management console and check the Configuration Status of the node, they show as “Synced”.

Checking the TMG Configuration Status on the new member also shows the nodes as “Synced”. However, after a closer inspection of the new member server, you may find that the Portal web site is missing in IIS. The ‘Web Monitor’ site and all required virtual directories under ‘Default Web Site’ are in place, but the Portal site…and the associated Application Pools…are not there.

Cause:

The “SSL Network Tunneling Server” (Network Connector) settings and configuration may be invalid for the servers’ network configuration.

Resolution:

To test for this condition, temporarily disable the Network Connector as follows:

 

  • In the Forefront UAG Management console, on the Adminmenu, click Remote Network Access, and then click SSL Network Tunneling.
  • On the “Network Segment” tab, uncheck “Activate SSL Network Tunneling” and click OK.
  • Activate the configuration.

After activating the configuration, check IIS on the new member server and make sure the Portal web site has been configured. If the site is now there, you need to determine the configuration issue with the Network Connector. For more information on the Network Connector in UAG, please see the following TechNet article:

https://technet.microsoft.com/en-us/library/ee809096.aspx

Author

Richard Barker - Sr Security Support Escalation Engineer, Microsoft CSS Forefront Security Edge Team