Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The SecureNAT Clients Cannot Access the Internal Resources That Are Published by Means of ISA Server


View products that this article applies to.

Symptoms

The secure network address translation (SecureNAT) computer clients cannot access internal resources that are published by means of Internet Security and Acceleration (ISA) Server. These resources are accessible to clients that use the Internet, but the internal (intranet) clients receive a timeout error message.

↑ Back to the top


Cause

This behavior can occur when SecureNAT clients attempt to access a published resource by using an Internet name. The name resolves to a public Internet Protocol (IP) address on ISA Server. Then, the SecureNAT clients make a connection to ISA Server on the public interface. ISA Server forwards this request to the publishing server. The request also contains the source address of the client. In this situation, however, the source address is local to the intranet. The publishing server contacts the client directly. The client is expecting the connection to come from ISA Server so the client ignores the direct request from the internal resource.

↑ Back to the top


Resolution

To work around this behavior, use any of the following three methods:
  • Use an internal DNS server, host file, or Windows Internet Name Service (WINS) server to resolve the internal IP of the published resource. Then, the SecureNAT client can contact the resource directly.
  • Install a firewall client. By using the firewall client, the requests from the client are "remoted" to ISA Server. In effect, the connections are being established from ISA Server itself, which should not cause a problem.
  • Install the firewall client, and then configure a Wspcfg.ini file on the resource that is going to be published. This step can bind the listening port of the internal server to the public interface of ISA Server. This step can work for both internal and external clients.

↑ Back to the top


Status

This behavior is by design.

↑ Back to the top


More information

For additional information about how to use this process, click the article numbers below to view the articles in the Microsoft Knowledge Base:
250510 Hosting Multiple SSL Sites Using Server Proxy in Proxy 2.0
276388 XIMS: How to Configure Exchange 2000 Behind Proxy Server 2.0

↑ Back to the top


Keywords: KB296674, kbisa2004yes, kbprb, kbnetwork, kbenv

↑ Back to the top

Article Info
Article ID : 296674
Revision : 3
Created on : 1/15/2006
Published on : 1/15/2006
Exists online : False
Views : 411