The SecureNAT Clients Cannot Access the Internal Resources That Are Published by Means of ISA Server

The secure network address translation (SecureNAT) computer clients cannot access internal resources that are published by means of Internet Security and Acceleration (ISA) Server. These resources are accessible to clients that use the Internet, but the internal (intranet) clients receive a timeout error message.

This behavior can occur when SecureNAT clients attempt to access a published resource by using an Internet name. The name resolves to a public Internet Protocol (IP) address on ISA Server. Then, the SecureNAT clients make a connection to ISA Server on the public interface. ISA Server forwards this request to the publishing server. The request also contains the source address of the client. In this situation, however, the source address is local to the intranet. The publishing server contacts the client directly. The client is expecting the connection to come from ISA Server so the client ignores the direct request from the internal resource.

To work around this behavior, use any of the following three methods:

• Use an internal DNS server, host file, or Windows Internet Name Service (WINS) server to resolve the internal IP of the published resource. Then, the SecureNAT client can contact the resource directly.
• Install a firewall client. By using the firewall client, the requests from the client are "remoted" to ISA Server. In effect, the connections are being established from ISA Server itself, which should not cause a problem.
• Install the firewall client, and then configure a Wspcfg.ini file on the resource that is going to be published. This step can bind the listening port of the internal server to the public interface of ISA Server. This step can work for both internal and external clients.

This behavior is by design.

For additional information about how to use this process, click the article numbers below to view the articles in the Microsoft Knowledge Base: