Firewall Client-Based Client Computers Are Unable to Access Resources (271471)



The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000

This article was previously published under Q271471

SYMPTOMS

When you migrate from a Microsoft Proxy Server version 2.0-based array to an Internet Security and Acceleration (ISA) Server-based array, some of the Firewall Client-based client computers may sometimes be unable to access resources that are available to the earlier Winsock Proxy (WSP)-based clients.

CAUSE

This behavior can occur if both Proxy Server 2.0-based and ISA Server-based servers are being accessed interchangeably by either client.

Although the Firewall Client program is fully backward compatible with the WSP service of Proxy Server 2.0, Proxy Server 2.0 expects a client that connects to Proxy Server, to advertise and use server protocol version 10. However, by default, the Firewall Client of ISA Server uses protocol version 11, unless the Firewall Client has been configured in the Mspclnt.ini file to use version 10.

The Mspclnt.ini file contains the server protocol version. If the server protocol is missing, version 10 (for Proxy Server 2.0) is selected. ISA Server-based computers have an .ini file with version 11 and the name of the array. The behavior in the "Symptoms" section of this article occurs if the name resolves to a set of computers that include both Proxy Server 2.0-based and ISA Server-based computers. If a client attempts to connect to a Proxy Server 2.0-based computer with protocol 11, the client is rejected.

WORKAROUND

To work around this behavior, remark out the value for ServerVersion=11 in the Mspclnt.ini file on ISA Server-based servers and on the Firewall Client-based clients as follows by using the Update button:

rem ServerVersion=11

-or-

;ServerVersion=11

NOTE: The leading semicolon (;) in an .ini file works the same way as a REM statement. For example: Two proxy servers in a Proxy Server 2.0-based array and two ISA Servers in an ISA Server-based array form the firewall and cache solution in a company. To ensure a smooth switch, you have registered a host record in your DNS that "round robin" resolves to each of the four servers. You must also remark out the value ServerVersion=11 in the Mspclnt.ini file on the ISA Server-based servers and on the Firewall Client-based clients by using the Update button to correct this behavior.


Modification Type:MinorLast Reviewed:1/15/2006
Keywords:kbenv kbprb KB271471