ISA 发布是一个常见问题,ISA 管理员们通常会先检查发布规则的每一项,但是常常肉眼看不出会有什么明显的错误。那么有没有什么工具可以帮助测试呢?答案是 ISA 2006 SP1 添加了一个新的特性,对于基于 web 的发布,增加了一个 Test Rule 的选项按钮。ISA 管理员们可以通过 Test Rule 来检查发布的问题。那么究竟 Test Rule 可适用于哪些发布,有哪些问题 Test Rule 可以检查出来,显示的错误代码又意味着什么呢?
Test Rule 功能可以应用于以下场合:
- Exchange Web Client Access 发布向导
- SharePoint Site 发布向导
- Web Site 发布向导
- 基于 HTTP 的单个 web 服务站点或服务器场的规则
- 基于 SSL 的单个 web 服务站点或服务器场的规则
Test Rule 功能可以检测以下类型的错误:
- 服务器的证书错误 - 由服务器证书检测失败触发
- 名字解析错误 - 由名字解析失败触发
- 连接错误 - 由 ISA 尝试与服务器建立连接失败触发
- 一般错误 - 由其他因素触发
以下是当运行 Test Rule 检测时,常见的错误代码:
Published server certificate errors:
Error codes | Error description | Description |
0x80090308 | The token supplied to the function is invalid. | This happens when the published port is not used for listening to SSL. |
0x80090322 | The target principal name is incorrect. | Usually this happens when accessing HTTPS sites and the certificate name on the server doesn’t match the URL with which it’s being accessed. Recommendation: Check the certificate of the published Web site, and then update the name of the published site on the To tab. |
0x80090325 | The certificate chain was issued by an authority that is not trusted. | ISA Server doesn’t have the root certificate from the certification authority (CA) installed. Recommendation: Import the CA certificate. |
0x80090328 | The received certificate has expired. | The certificate on the published server has expired. Recommendation: Replace or renew the certificate on the published server. |
Name resolution errors:
Error codes | Error description | Description |
11004 | The requested name is valid, but no data of the requested type was found. | This occurs when the name resolution to the published server (that is published by its NetBIOS name) fails. Recommendation: Check whether the name on the To tab of the published rule is resolvable. |
11001 | Host not found. | This occurs when the name resolution to the published server (that is published by its FQDN name) fails. Recommendation: Check whether the name on the To tab of the published rule is resolvable. |
Connectivity errors:
Error codes | Error description | Description |
10061 | No connection could be made because the target computer actively refused it. | The published server does not have a Web server listening on the published port, or Internet Information Services (IIS) 6.0 has not started and is not listening to any port. |
Test Rule 功能在大多数情况下能够真实反映发布规则正确性,但也有一些功能上的限制,具体请参见:
ISA Server 2006 SP1 - Test Button Issues
http://blogs.technet.com/isablog/archive/2008/07/17/isa-server-2006-sp1-test-button-issues.aspx
Cherry Qian, James Yi
微软安全支持专家