Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer


View products that this article applies to.

Symptoms

After you create a server publishing rule that publishes a service on your Microsoft Internet Security and Acceleration (ISA) Server 2004 computer, you cannot connect to the service from the external network.

↑ Back to the top


Cause

This behavior occurs if all the following conditions are true:
The service that you publish is running directly on the ISA Server computer. You configure the Internet Protocol (IP) address that appears on the To tab in the properties of the server publishing rule to use a local IP address of the ISA Server.
Network address translation (NAT) is used between the address that appears on the To tab in the properties of the server publishing rule and the source that is specified on the From tab in the properties of the server publishing rule. The server publishing rule publishes one IP address of the ISA Server computer, and redirects to another local IP address.
The service that you publish uses a User Datagram Protocol (UDP) protocol definition.
The service process binds to the IP address 0.0.0.0, and not to the specific local IP address that is specified on the To tab in the properties of the server publishing rule.
If you right-click the server publishing rule, click Properties, and then click the To tab, the Requests appear to come from the original client option is selected.
If all these conditions are true, when the published service sends a reply packet to the client, the TCP/IP stack chooses the local IP address for the reply according to the route to the client address. This behavior occurs because the socket is bound to address 0.0.0.0. Because the route to the client address is the publishing rule listener address, the local address that is chosen is different from the local address of the original request that the service received. (The local address of the original request was the IP address that is specified on the To tab in the properties of the server publishing rule.) Therefore, the state in the driver does not match this traffic, and the traffic is dropped.

↑ Back to the top


Resolution

To resolve this behavior, use one of the following methods:
Change the server address for the publishing rule to match the listener IP address.
Configure the service to bind to the specific local IP address that is specified on the To tab in the properties of the server publishing rule.
Change the server publishing rule option Requests appear to come from the original client to Requests appear to come from the ISA Server computer. To do this, right-click the server publishing rule, click Properties, click the To tab, and then click Requests appear to come from the ISA Server computer.

↑ Back to the top


Keywords: KB838376, kbprb, kbfirewall

↑ Back to the top

Article Info
Article ID : 838376
Revision : 2
Created on : 7/16/2004
Published on : 7/16/2004
Exists online : False
Views : 351