SecureNat Mappings counter increases, and client computers can no longer access external sites from behind ISA Server 2000

On a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2000, the SecureNat Mappings counter increases significantly when you run the ISA Server Performance Monitor tool. Also, client computers experience all the following symptoms:

�	Client computers that are running the Firewall client program can no longer access external sites.
�	Client computers that are configured as SecureNAT clients can no longer access external sites.
�	Client computers that are configured as Web proxy clients can access external sites.

Note These symptoms occur even though you have not made any recent configuration changes to ISA Server.

This issue occurs if the following conditions are true:

�	ISA Server is configured with one or more site and content rules to restrict access to external sites.
�	A client computer that is connected to your internal network is infected with a computer virus or a worm program that generates lots of User Datagram Protocol (UDP) traffic to random IP addresses. For example, this issue may occur if a client computer is infected with the W32.Opaserv.Worm worm program.

This issue occurs because the worm program sends a very large amount of UDP traffic to the ISA Server computer on port 137. Because of this traffic, ISA Server cannot query a Domain Name System (DNS) server to resolve the names of the restricted sites that are referenced by the site and content rules.

When ISA Server receives a request for content from an external site, ISA Server must resolve the list of restricted sites that are referenced by the site and content rules. It can then determine whether the internal client is requesting content from a restricted site. If ISA Server cannot resolve the request with a DNS server, the internal client computer is not permitted to access the external site.

To resolve this issue, follow these steps:

1.	Temporarily turn off your site and content rules that restrict access to external sites. Warning This step is intended to help restore Internet access for your client computers. However, this step could give users access to restricted content. Therefore, do not perform this step if your corporate policy does not allow for the temporary removal of these restrictions. To turn off a site and content rule, follow these steps: a. Start the ISA Management tool. b. Expand Servers and Arrays, expand your ISA Server computer, expand Access Policy, and then click Site and Content Rules. c. In the right pane, double-click the rule that you want to turn off. d. Click to clear the Enable check box, and then click OK.
2.	Turn on the Allow rule setting to permit access to all external destinations. When you turn on this setting, ISA Server no longer has to perform DNS queries for client requests. To turn on the Allow rule setting, follow these steps: a. In the Configure Site Rules pane of the ISA Server Management tool, double-click Allow rule. b. Click to select the Enable check box, and then click OK.
3.	Review the ISA Server Firewall service log file to determine the IP address of the computer that is generating the increased UDP traffic. For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base: 284818 A description of the various log files and fields
4.	Remove the virus or worm program from the client computer that is generating the increased UDP traffic.
5.	Restore your site and content rule configuration to the original settings. For example, turn off the Allow rule setting, and then turn on the site and content rules that you turned off in step 1.

For additional information about related topics, click the following article number to view the article in the Microsoft Knowledge Base: For more information about ISA Server, visit the following Microsoft Web site: