Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Note On a Windows 2003 server configured with an NLB cluster in the
internal and external interfaces with multiple virtual IP addresses on the
internal interface, where the following registry value is used, the IP that you
use to send traffic to the published server may be one of the virtual IP
addresses and not the dedicated IP address. This is typically true when only
one IP address is used in the virtual IP address. As a result, the reply
traffic is load balanced and may land on a firewall server that does not have
context for this traffic. Such traffic does not return to the remote client, so
the client does not connect.
To enable the translation of the client
source address in server publishing:
- Obtain and install ISA Server 2000 Service Pack
1.
For more information about
how to obtain the latest ISA Server service pack, click the following article number to view the article in the Microsoft Knowledge Base:
313139
How to obtain the latest Internet Security and Acceleration Server 2000 service pack
- Edit the registry:
- Start Registry Editor, locate, and then click the
following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fwsrv\Parameters
- On the Edit menu, click Add
Value, and then add the following registry value:
Value name: UseISAAddressInPublishing
Data type: REG_DWORD
Radix: Binary
Value data: 1
- Quit Registry Editor.
- Restart the Firewall service from the Services tool in
Control Panel.
In typical server publishing with ISA Server, incoming packets
are received by the Firewall service and the destination address is changed in
the new request that is sent to the internal server. The original destination
address was the ISA server's external IP address, and the new destination
address is the IP address of the internal published server. However, this new
packet that was sent from the ISA Server computer to the internal server still
has the original source address of the external client where the packet
originated.
This requires that the internal server have a default
route to the Internet through ISA Server for reply packets to be returned back
to the source (after being appropriately translated by ISA Server on the way
out). That is, the default gateway of the server being published must route through the ISA Server computer that is performing Server Publishing.
Some large corporate networks do not have default routes out to
the Internet, and in those environments, this can be a problem.
A
feature has been introduced in ISA Server 2000 Service Pack 1 allows you to set
a registry value that causes ISA Server to also replace the source address of
these incoming requests so that the packets that are sent to the internal
server have the source address of the ISA Server computer. This allows the
normal IP routing configuration in these large networks to route these packets
back to the ISA Server computer which can then NAT these packets back to the
original external host where the request originated.
Note This feature works only if the published protocol does not
require an application filter (there were no secondary connections in the
protocol) and for publishing FTP and RPC servers (only FTP and RPC application
filters have this support).