Trying to access a resource on an IIS WebSite over the HTTP protocol with the Symantec SiteMinder R12.52 WebAgent for IIS installed results in a 403 error at the browser. There are no Agent logs generated and LLAWP does not start.

Applies to the Web Agent for IIS 12.52 and 12.8

Applies to any IIS version

A review of the "Failed Request Tracing" provides the "HttpSubStatus" code of "4" for the 403 error; 

<EventData>

  <Data Name="ContextId">{80000006-0000-D200-B63F-84710C7967BB}</Data>

  <Data Name="ModuleName">IIS Web Core</Data>

  <Data Name="Notification">1</Data>

  <Data Name="HttpStatus">403</Data>

  <Data Name="HttpReason">Forbidden</Data>

  <Data Name="HttpSubStatus">4</Data>

  <Data Name="ErrorCode">2147942405</Data>

  <Data Name="ConfigExceptionInfo"></Data>

</EventData>

The following link provides the definitions for the IIS HTTP status codes;

https://support.microsoft.com/en-us/help/943891/the-http-status-code-in-iis-7.0,-iis-7.5,-and-iis-8.0 

Following is from this link:

•403.1 - Execute access forbidden. 

•403.2 - Read access forbidden. 

•403.3 - Write access forbidden. 

•403.4 - SSL required. 

•403.5 - SSL 128 required. 

•403.6 - IP address rejected. 

•403.7 - Client certificate required. 

From the complete error of "403.4", we can see "SSL required".

A review of the ApplicationHost.config file also shows that SSL is required for the site;

<location path="MyIIS.xWebSite"> 

<system.webServer> 

<security> 

<access sslFlags="Ssl" /> 

</security> 

</system.webServer> 

</location>

The IIS Web Site is configured to require SSL, however the request was over HTTP instead of HTTPS.

Make the request over the HTTPS Port/Binding for the Web Site, or un-check the "Require SSL" check-box in the "SSL Settings" for the Web Site, or modify the ApplicationHost.config file and set the "access sslFlags" parameter to "None".