Server Publishing Rules May Not Permit Inbound UDP Packets Through to Published Server (301351)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q301351

SYMPTOMS

When you use Server Publishing rules to publish an internal server that receives incoming User Datagram Protocol (UDP) packets, some inbound packet types may be dropped by Internet Security and Acceleration (ISA) Server. If you perform a network trace on both interfaces of the ISA server, the packets may be received on the external interface but they are not passed to the internal or private network.

CAUSE

This issue occurs because certain UDP ports require that a Site and Content rule be created to permit the packet to pass through the ISA server. For example, if you want to publish a Domain Name Service (DNS) server behind ISA Server 2000, you must create a Site and Content rule with at least the following parameters:
  • Response to client requests for access: Allow
  • Apply this rule to: All external destinations
  • Use this schedule: Always
  • Apply the rule to requests from: Specific computers (client address sets)

    Note: You must create a client address set that includes the DNS server.

WORKAROUND

To work around this issue, create a Site and Content rule for the server that you published to permit the UDP packet to pass through ISA Server 2000. To do this, follow these steps.

Step 1: Create a Client Address Set

Create a Client Address Set that includes the server that you published. To do so:
  1. Start the ISA Management snap-in. To do this, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
  2. Locate the Client Address Sets container under Policy Elements.
  3. Right-click Client Address Sets, point to New, and then click Set.
  4. In the Name box, type a descriptive name for the set. For example, type DNS Server.
  5. Click Add, type the IP address of the server computer that you published (for example, type the IP address of the DNS server) in the From and the To boxes, and then click OK.
  6. If you want to add other computers to the client set, click Add, type the IP address range, and then click OK.
  7. When you are finished adding IP addresses, click OK.

Step 2: Create a Site and Content Rule

Create a Site and Content Rule to permit the UDP packets through the ISA server. To do so:
  1. Start the ISA Management snap-in. To do this, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
  2. Depending on the version of ISA and the installation type, locate the Site and Content Rules container under Access Policy (either at the Enterprise level or the Servers and Arrays level).
  3. Right-click Site and Content Rules, point to New, and then click Rule.
  4. In the Site and content rule name box, type a descriptive name for the rule, and then click Next.
  5. Click Allow, and then click Next.
  6. Click Allow some clients access to all external sites, and then click Next.
  7. Click Specific computers (client address sets), and then click Next.
  8. Click Add, click the client set that you created in the "Step 1: Create a Client Address Set" section of this article, click Add, and then click OK.
  9. Click Next, and then click Finish.

MORE INFORMATION

Published servers that use TCP are not affected by this issue. Additionally, some UDP protocols will continue to work without the workaround described in the "Workaround" section of this article if you enable IP routing on the ISA server. To enable IP routing, follow these steps:
  1. Start the ISA Management snap-in. To do this, click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Management.
  2. Locate the IP Packet Filters container under Access Policy.
  3. Right-click IP Packet Filters, and then click Properties.
  4. Click to select the Enable IP routing check box, make sure that the Enable packet filtering check box is selected, and then click OK.

REFERENCES

For information about how to obtain Service Pack 1 (SP1) for ISA Server 2000, visit the following Microsoft Web site:

http://www.microsoft.com/isaserver/downloads/sp1.asp

For additional information about how to configure the Web Publishing Service with ISA Server, click the following article number to view the article in the Microsoft Knowledge Base:

313072 HOW TO: Configure the Web Publishing Service to Work with Internet Security and Acceleration Server in Windows 2000

For additional help and support with Microsoft Internet Security and Acceleration (ISA) Server, visit the following Web sites:

http://www.microsoft.com/isaserver
http://www.isaserver.org

back to the top
Modification Type:MinorLast Reviewed:4/28/2003
Keywords:kbprb KB301351
©2002 Microsoft Corporation. All rights reserved.