Server Publishing Rules May Not Permit Inbound UDP Packets Through to Published Server (301351)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q301351 SYMPTOMSWhen you use Server Publishing rules to publish an internal
server that receives incoming User Datagram Protocol (UDP) packets, some
inbound packet types may be dropped by Internet Security and Acceleration (ISA)
Server. If you perform a network trace on both interfaces of the ISA server,
the packets may be received on the external interface but they are not passed
to the internal or private network. CAUSEThis issue occurs because certain UDP ports require that a
Site and Content rule be created to permit the packet to pass through the ISA
server. For example, if you want to publish a Domain Name Service (DNS) server
behind ISA Server 2000, you must create a Site and Content rule with at least
the following parameters:
- Response to client requests for access:
Allow
- Apply this rule to: All external
destinations
- Use this schedule: Always
- Apply the rule to requests from: Specific computers
(client address sets)
Note: You must create a client address set that includes the DNS
server.
WORKAROUND To work around this issue, create a Site and Content rule
for the server that you published to permit the UDP packet to pass through ISA
Server 2000. To do this, follow these steps. Step 1: Create a Client Address SetCreate a Client Address Set that includes the server that you
published. To do so:
- Start the ISA Management snap-in. To do this, click
Start, point to Programs, point to
Microsoft ISA Server, and then click ISA
Management.
- Locate the Client Address Sets container
under Policy Elements.
- Right-click Client Address Sets, point to
New, and then click Set.
- In the Name box, type a descriptive name
for the set. For example, type DNS Server.
- Click Add, type the IP address of the
server computer that you published (for example, type the IP address of the DNS
server) in the From and the To boxes, and
then click OK.
- If you want to add other computers to the client set, click
Add, type the IP address range, and then click
OK.
- When you are finished adding IP addresses, click
OK.
Step 2: Create a Site and Content RuleCreate a Site and Content Rule to permit the UDP packets through
the ISA server. To do so:
- Start the ISA Management snap-in. To do this, click
Start, point to Programs, point to
Microsoft ISA Server, and then click ISA
Management.
- Depending on the version of ISA and the installation type,
locate the Site and Content Rules container under
Access Policy (either at the Enterprise level
or the Servers and Arrays level).
- Right-click Site and Content Rules, point
to New, and then click Rule.
- In the Site and content rule name box,
type a descriptive name for the rule, and then click
Next.
- Click Allow, and then click
Next.
- Click Allow some clients access to all external
sites, and then click Next.
- Click Specific computers (client address
sets), and then click Next.
- Click Add, click the client set that you
created in the "Step 1: Create a Client Address Set" section of this article,
click Add, and then click OK.
- Click Next, and then click
Finish.
REFERENCESFor information about how to obtain Service Pack 1 (SP1) for
ISA Server 2000, visit the following Microsoft Web site: For additional information about how to configure the
Web Publishing Service with ISA Server, click the following article number to
view the article in the Microsoft Knowledge Base: 313072
HOW TO: Configure the Web Publishing Service to Work with Internet Security and Acceleration Server in Windows 2000
For additional help and support with Microsoft
Internet Security and Acceleration (ISA) Server, visit the following
Web sites: back to the
top
Modification Type: | Minor | Last Reviewed: | 4/28/2003 |
---|
Keywords: | kbprb KB301351 |
---|
|