Site Rules for DMZ (Forbidden: Access is Denied)

Hello,


We have a problem regarding the Site Rules for DMZ deployed apps, we have a 2 front-end production server for Intranet and DMZ both on-premise server, and created the same DNS. The Internal front-end site rules config seems to be working but not in DMZ (Same Configuration, Controller). The error shows "403 - Forbidden: Access is denied" upon accessing the page.

It's a OutSystems V10 infra by the way.


Any ideas on how to solve this problem?

Hi Mark,

Have you also installed the ISAPI filters on the DMZ frontend? 

Did you check the Event Viewer logs and IIS logs to see if you can get a clue out of there?

Regards,

Nordin

Nordin Ahdi wrote:

Hi Mark,

Have you also installed the ISAPI filters on the DMZ frontend? 

Did you check the Event Viewer logs and IIS logs to see if you can get a clue out of there?

Regards,

Nordin

Hi Nordin, 

Thanks for your reply.

We already installed the ISAPI filters on the DMZ frontend the same as on-prem frontend, but the issue still persists.


Hi Mark,

What happens if you execute a request to a webscreen available on your DMZ frontend without using an SEO rule? So what about if you use the original URL path like 'https://hostname/modulename/webscreen.aspx'? Does the same 403 error occur?

Again, checking the earlier mentioned logs could be very helpful in identifying the issue.

Regards,

Nordin

Nordin Ahdi wrote:

Hi Mark,

What happens if you execute a request to a webscreen available on your DMZ frontend without using an SEO rule? So what about if you use the original URL path like 'https://hostname/modulename/webscreen.aspx'? Does the same 403 error occur?

Again, checking the earlier mentioned logs could be very helpful in identifying the issue.

Regards,

Nordin


Hi Nordin,

It's working when using the URL path with the module name as you mention.

I currently requesting the IIS logs to our System Administrator.

Hi Nordin,

As per logs, there's an ISAPI error regarding file permission to logs, we already added the IIS_IUSRS to the OutSystems folder to fix the logging issue then restarted the IIS service.

But the issue still persists.

Hi Mark,

Well, that looks like a specific error. 

Please make sure both the OSRUNTIME and NETWORK SERVICE users are part of the IIS_IUSRS group. A server restart might be required after user/roles changes.

Let me know if that worked for you.

Regards,

Nordin

Solution

Hi Nordin,

Thanks for your reply.

I already detected the problem in the DMZ server, there's a missing activity on ISAPI Filter which is the DefaultAppPool that needs to change to OutsystemsApplication. By the way thanks for the help.


Solution

Hi Mark,

Ah yes, that's indeed a requirement for the SEO feature to work and it was going to be my next suggestion if the OSRUNTIME was indeed part of the IIS_IUSRS group.

I'm glad you've figured it out yourself:).

Regards,

Nordin