11 Replies Latest reply on Jan 9, 2014 4:42 PM by philmodjunk

    Admin Console forbidden from most locations

    Yadin

      Summary

      Admin Console forbidden from most locations

      Product

      FileMaker Server

      Version

      12

      Operating system version

      Server 2008

      Description of the issue

      When going to port 16000 and clicking to Start Admin Console from various systems, instead of starting or getting a java prompt or a download window or whatever, you get this:

      HTTP Status 403 -
      FileMaker Server has encountered an error:
      Access to the specified resource () has been forbidden.

      If the Server Launch Page is not available, visit the FileMaker Website for more assistance.
      FileMaker Server

      Since this is network based, it's clear there is some odd permissions issue in the server software that denies access to the console based on network connection.  I can make no sense of this however based on IP ranges as to what it's allowing and denying.  I can find no documentation on this or place to configure it.  I find this issue is common, and no resolutions for 4 years and as many versions.  It's clear this is based in the configuration of the software given the error condition and is not due to firewalls.

      Steps to reproduce the problem

      Noted in Description

      Expected result

      Admin console will launch

      Actual result

      403 Forbidden

      Exact text of any error message(s) that appear

      Noted in Description

      Configuration information

      Browser and OS for connecting client do not matter.  All other portions of the web interface and IWP work fine from all connections/systems/browsers.  This is isolated to the Admin Console when accessed from certain subnets.

      Workaround

      None.  Due to the time spent trying to sort this out and the lack of any documentation on it, I now consider this a bug and not a simple configuration/support issue.

        • 1. Re: Admin Console forbidden from most locations

          Yadin:

               Thank you for the post.

                

          FileMaker Server 12 and FileMaker Server 12 Advanced port numbers

          What are the port numbers used by FileMaker Server 12 and FileMaker Server 12 Advanced?

                

               Both ports 16000 and 16001 will need to be open to the end user to remotely launch the FileMaker Server 12 (Advanced) Admin Console.

                

               Can you provide the operating system and version of Java on a remote configuration that does not work?

                

               If the client machine is a Mac, does a Network Utility Port Scan show port 16000 and 160001 as open from the client I.P. to the server I.P.?

                

               If the client machine is Windows, does Telnet show port 16000 and 160001 as open from the client I.P. to the server I.P.?

                

               Any other specific differences between the working and non-working computers besides being on another subnet?

                

               TSFalcon

               FileMaker, Inc.

          • 2. Re: Admin Console forbidden from most locations
            Yadin

                 Yes those ports are open, which applies to all connections, and again that's clearly not the issue as that would not produce a 403 error, it would produce a server timeout.

                 The Java versions aren't really relevant since Java never happens since the jnlp is 403.  But since you asked, I have tried on both a Mac 10.8.5 with FF ESR 17.0.7 using Java 7 u40 and Windows 7 SP1 with FF ESR 24.2.0 using Java 7 u45.  Again, these configurations work fine on another subnet.

                 Port scan shows those ports are open.  Telnet connects to those ports.  As I said before, it's not a port issue.

                 There are no differences of note, other than the Windows machine on site is bound to AD and the remote one is not, but again since there is no authentication involved (unless FM is doing something in the background without proper user request), that seems irrelevant.

                 If I recall, we did not see this issue under FM 11, this issue began for us with FM 12.  There is no known difference in those implementations other than the version of the FM Server software installed.

                  

            • 3. Re: Admin Console forbidden from most locations

              Yadin:

                   Thank you for the reply.

                    

                   If port 16000 is open but port 16001 is blocked, then the FileMaker Server Start Page and the button to "Start Admin Console" will be available; however, clicking the button would return a connection error because the .jnlp file downloads over port 16001.

                    

                   Let's troubleshoot the Mac OS X 10.8.5 computer first. 

                    

                   From that computer:

                    

                   1. Open Network Utility.app

                   2. Click "Port Scan" in the top right

                   3. Enter the I.P. address of the FileMaker Server

                   4. Check the box "Only test ports between" and enter the range 15999 to 160002.

                   5. Click "Scan" (See screenshot below)

                    

                   After the scan completes, please take a screenshot and post back with the results.

                    

                   TSFalcon

                   FileMaker, Inc.

              • 4. Re: Admin Console forbidden from most locations
                Yadin

                     As I said before when you asked for this test, those ports are open, exactly as you show in your screenshot, do you not believe me that you're asking for a screenshot as proof?

                • 5. Re: Admin Console forbidden from most locations

                       Yadin:

                        

                       Thank you for the reply. I apologize for the delay. I had left the office for the day.

                        

                  FileMaker Support Methodology

                  What is FileMaker's Support Methodology?

                        

                       The only way to troubleshoot is to eliminate all the possible factors. I have no doubt that you’ve done troubleshooting in the past, and that this situation can be frustrating, but please keep in mind, I am here to help.

                        

                       My asking for the screenshot has nothing to do with my opinion and my intention was not to insult, but if we are currently troubleshooting from the problem configuration, then we need to know the status of port 16000 and port 16001 from the client to the host during troubleshooting. The ports may have been open in the past, but something could’ve changed.

                        

                       The ports very well could be open right now, but since the port is the most likely cause, I prefer not to guess when troubleshooting. The screenshot is to verify the current status.

                        

                       Please let me know how you would like to proceed.

                        

                       TSFalcon

                       FileMaker, Inc.

                  • 6. Re: Admin Console forbidden from most locations
                    Yadin

                         Then we have established the ports currently scan as open so that is not the problem, please proceed.

                    • 7. Re: Admin Console forbidden from most locations

                      Yadin:

                           Thank you for the reply.

                            

                           "Then we have established the ports currently scan as open so that is not the problem, please proceed."

                            

                           Which computer I.P. address currently scans as open to which I.P. address? 

                           Did you scan to the public or private I.P. address of the FileMaker Server?

                            

                           You said the client and host computers were on different subnets, are the computers in the same building or different locations?

                            

                           The next step would be to simplify the network environment. 

                            

                           Is the client machine still able to load the FileMaker Start Page? This information will help determine if we're getting the 403 error on port 16000 or 16001.

                            

                           TSFalcon

                           FileMaker, Inc.

                      • 8. Re: Admin Console forbidden from most locations
                        Yadin

                             You don't seem to be carefully reviewing the information I have provided, or have an accurate understanding of how the software works, which continues to be frustrating.  The very first thing in the issue I state is "When going to port 16000 and clicking to Start Admin Console..."  If 16000 was the 403, I wouldn't have a State Admin Console button and would not then talk about the java console being the thing that permission is being denied to.

                             In the instance of client and server, they are always on different subnets, and I do mean different not just pieces of a divided subnet.  They are in the same physical building when the console works, but they might as well not be due to the various switches and network firewalls they go through to get to each other.  In fact, there are MORE such potential barriers in the office than from my home connection.  There is no public and private IP space, there is only a single IP address at play on the server.  I have not scanned the IP directly, I am scanning the DNS cname that is being used as that would present the most accurate result.  If I scan the cname that I use in the browser, that eliminates any question of DNS resolution issues, so that is what I have done.  All 3 systems on all 4 IP addresses can scan 16000 and 16001 as open, and telnet to them.

                             Again, it seems clear it's not the case that 16001 is not accessible, it's that the server software is denying permission to the java resource when certain client connections request it, hence the webserver is immediately delivering a custom 403 page from Filemaker to the client, not that it can't get a response after some delay.  Furthermore, to test this I purposefully blocked access to 16001 on the server and the office machines still got a prompt to download/open the jnlp file.  This further verifies that any issue with 16001 is NOT the issue at hand as it's NOT required for that download to occur, contrary to your statement otherwise, and access to it does NOT cause a 403 error.  It IS required for the console to connect (nothing happens launching the jnlp until that port is re-opened), but not to get the jnlp file to begin with.  Something else entirely is at work that prevents the webserver from giving access to the jnlp download for certain connections.

                             I hope this information helps move this issue along to the proper point.

                        • 9. Re: Admin Console forbidden from most locations

                          Yadin:

                               Thank you for the reply.

                                

                               Could you launch the FileMaker Server Admin Console on the server and check the settings in the FileMaker Server Admin Console under Configuration > General Settings > Admin Console > "Restrict Access"? (See screenshot below). 

                                

                               TSFalcon

                               FileMaker, Inc.

                          • 10. Re: Admin Console forbidden from most locations
                            Yadin

                                 That appears to be the problem, I will verify later this evening off site.  We had discovered some time ago that setting is unusable as it does not allow for IP ranges, and we can't begin to put in hundreds of IP addresses to account for an authorized VPN pool.  In effect, that is a needed feature request, if not an outright bug, unless there is an undocumented way to specify a range.  It will not accept any attempted syntax of normal conventions for an IP range be it / - or *.  If you have any information here it would be appreciated, otherwise please log the problem to the developers.

                                 It seems that setting activated itself at some point, so only the previously entered office IP addresses were able to access the server since we could never add the other ranges, and the download checks against that which was unexpected behavior.  This leads to the next bug/ feature improvement, that page should not respond with such a generic 403 message. Since it's clearly already a custom 403 from Filemaker it should specifically say something to the effect of attempting to connect from an unauthorized IP address, check access restriction settings in the admin console from an authorized machine.  This way there would be a clearer indication of what is going on, and how to pursue resolution.  Again, please pass this along.

                                 Of course the fact that this option turned itself on at some point is also a bug, though I clearly have no further information to help track down the event that may have caused that.  My only guess would be an update of the Filemaker software was the culprit.  I will keep an eye out for this in the future having learned this lesson.

                                 Thank you for finally getting us to an answer.  It's regrettable it took several months time of failed support ending in this extensive and misdirected bug thread to hit on something so simple yet so obscured.  Hopefully this feedback will help improve the product to avoid such an issue in the future.

                            • 11. Re: Admin Console forbidden from most locations
                              philmodjunk

                                   For what it's worth, the site for posting feature requests is here: http://www.filemaker.com/company/contact/feature_request.html