[技术分享 – ISA 篇] 20100615 – 1, ISA 发布不用慌, Test Rule 帮你忙


ISA 发布是一个常见问题,ISA 管理员们通常会先检查发布规则的每一项,但是常常肉眼看不出会有什么明显的错误。那么有没有什么工具可以帮助测试呢?答案是 ISA 2006 SP1 添加了一个新的特性,对于基于 web 的发布,增加了一个 Test Rule 的选项按钮。ISA 管理员们可以通过 Test Rule 来检查发布的问题。那么究竟 Test Rule 可适用于哪些发布,有哪些问题 Test Rule 可以检查出来,显示的错误代码又意味着什么呢?

Test Rule 功能可以应用于以下场合

  • Exchange Web Client Access 发布向导
  • SharePoint Site 发布向导
  • Web Site 发布向导
  • 基于 HTTP 的单个 web 服务站点或服务器场的规则
  • 基于 SSL 的单个 web 服务站点或服务器场的规则

clip_image001

clip_image002

Test Rule 功能可以检测以下类型的错误:

  • 服务器的证书错误 – 由服务器证书检测失败触发
  • 名字解析错误 – 由名字解析失败触发
  • 连接错误 – 由 ISA 尝试与服务器建立连接失败触发
  • 一般错误 – 由其他因素触发

以下是当运行 Test Rule 检测时,常见的错误代码:

Published server certificate errors:

Error codes

Error description

Description

0x80090308

The token supplied to the function is invalid.

This happens when the published port is not used for listening to SSL.

0x80090322

The target principal name is incorrect.

Usually this happens when accessing HTTPS sites and the certificate name on the server doesn’t match the URL with which it’s being accessed.

Recommendation: Check the certificate of the published Web site, and then update the name of the published site on the To tab.

0x80090325

The certificate chain was issued by an authority that is not trusted.

ISA Server doesn’t have the root certificate from the certification authority (CA) installed.

Recommendation: Import the CA certificate.

0x80090328

The received certificate has expired.

The certificate on the published server has expired.

Recommendation: Replace or renew the certificate on the published server.

Name resolution errors:

Error codes

Error description

Description

11004

The requested name is valid, but no data of the requested type was found.

This occurs when the name resolution to the published server (that is published by its NetBIOS name) fails.

Recommendation: Check whether the name on the To tab of the published rule is resolvable.

11001

Host not found.

This occurs when the name resolution to the published server (that is published by its FQDN name) fails.

Recommendation: Check whether the name on the To tab of the published rule is resolvable.

Connectivity errors:

Error codes

Error description

Description

10061

No connection could be made because the target computer actively refused it.

The published server does not have a Web server listening on the published port, or Internet Information Services (IIS) 6.0 has not started and is not listening to any port.

Test Rule 功能在大多数情况下能够真实反映发布规则正确性,但也有一些功能上的限制,具体请参见:

ISA Server 2006 SP1 – Test Button Issues

http://blogs.technet.com/isablog/archive/2008/07/17/isa-server-2006-sp1-test-button-issues.aspx

Cherry Qian, James Yi

微软安全支持专家

Comments (0)

Skip to main content