Error message when a client computer tries to access a shared resource through a server that is running Microsoft Forefront Threat Management Gateway, Medium Business Edition, or ISA Server: "Connection failed. Access denied"

When a client computer that is running the Microsoft Internet Security and Acceleration (ISA) Sever Microsoft Firewall Client program tries to access a shared resource through a server that is running Microsoft ISA Server, the client computer may receive an error message that is similar to the following:This issue only occurs when the following conditions are true.

ISA Server 2004, ISA Server 2006, and Microsoft Forefront Threat Management Gateway

This issue occurs in Microsoft ISA Server 2004, ISA Server 2006, and Forefront Threat Management Gateway when all the following conditions are true:

• An access rule is configured on the server that enables communication over the Common Internet File System (CIFS) protocol.
• This access rule is applied to specific users or groups.
• The client computer tries to access the shared resource through this access rule.

ISA Server 2000

This issue occurs in Microsoft ISA Server 2000 when all the following conditions are true:

• A protocol rule is configured on the server that enables communication over the CIFS protocol.
• This protocol rule is applied to specific users or groups.
• The client computer tries to access the shared resource through this protocol rule.
• The client computer uses a local address table (LAT) to connect.

Note ISA Server 2000 does not have a default protocol definition for CIFS. A CIFS protocol definition must be created by the ISA administrator with the following properties:

• Port = 445
• Protocol = TCP or UDP
• Direction = Outbound (TCP) or Send-Receive (UDP)
• Secondary connections = None

For more information about how to create a protocol definition in ISA Server 2000, visit the following Microsoft Web site:

This issue occurs because the ISA Server Firewall Client program cannot authenticate CIFS connections to a server that is running ISA Server.

The Firewall Client program is responsible for providing authentication to the server for non-Web protocols such as Simple Mail Transfer Protocol (SMTP) and Post Office Protocol 3 (POP3). The Firewall Client program can only process Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) traffic that is passed through the Windows Sockets API (Winsock). CIFS connections do not use Winsock calls. Therefore, the Firewall Client program cannot authenticate CIFS connections to the server. If you configure a rule that requires CIFS authentication, the connection will be denied.

To resolve this issue, create anonymous rules for CIFS traffic. To do this, follow these steps.

Microsoft Forefront Threat Management Gateway, Medium Business Edition

1. Open Microsoft Forefront Threat Management Gateway, Medium Business Edition Management.
2. In the Microsoft Forefront Threat Management Gateway, Medium Business Edition Management console tree, expand Microsoft Forefront Threat Management Gateway, Medium Business Edition, and then click Firewall Policies.
3. Right-click the rule that you created for CIFS, and then click Properties.
4. On the Users tab, click to select the users or the groups to which you applied the rule under This rule applies to requests from the following user sets, and then click Remove. Repeat this step until you remove all users or groups.
5. Under This rule applies to requests from the following user sets, click Add.
6. Under User sets, click All Users, click Add, and then click OK.
7. Click Apply when you are prompted to save the changes.

ISA Server 2004 and ISA Server 2006

1. Open ISA Server Management.
2. In the ISA Server Management console tree, expand Servers and Arrays, expand ArrayName, and then click Firewall Policies.
3. Right-click the rule that you created for CIFS, and then click Properties.
4. On the Users tab, click to select the users or groups that you applied the rule to under This rule applies to requests from the following user sets, and then click Remove. Repeat this step until you have removed all users or groups.
5. Under This rule applies to requests from the following user sets, click Add.
6. Under User sets, click All Users, click Add, and then click OK.
7. Click Apply when you are prompted to save the changes.

ISA Server 2000

1. Open ISA Server Management.
2. In the ISA Management console tree, expand Servers and Arrays, expand ArrayName, expand Access Policy, and then click Protocol Rules.
3. Right-click the rule that you created for CIFS, and then click Properties.
4. On the Applies To tab, click one of the following options, and then click OK:
   • Any request.
   • Client address sets specified below.
     
     Note If you select Client address sets specified below, you must include the client address set that you have defined in Client Address Sets under Policy Elements.