The SecureNAT Clients Cannot Access the Internal Resources That Are Published by Means of ISA Server (296674)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q296674

SYMPTOMS

The secure network address translation (SecureNAT) computer clients cannot access internal resources that are published by means of Internet Security and Acceleration (ISA) Server. These resources are accessible to clients that use the Internet, but the internal (intranet) clients receive a timeout error message.

CAUSE

This behavior can occur when SecureNAT clients attempt to access a published resource by using an Internet name. The name resolves to a public Internet Protocol (IP) address on ISA Server. Then, the SecureNAT clients make a connection to ISA Server on the public interface. ISA Server forwards this request to the publishing server. The request also contains the source address of the client. In this situation, however, the source address is local to the intranet. The publishing server contacts the client directly. The client is expecting the connection to come from ISA Server so the client ignores the direct request from the internal resource.

RESOLUTION

To work around this behavior, use any of the following three methods:
  • Use an internal DNS server, host file, or Windows Internet Name Service (WINS) server to resolve the internal IP of the published resource. Then, the SecureNAT client can contact the resource directly.
  • Install a firewall client. By using the firewall client, the requests from the client are "remoted" to ISA Server. In effect, the connections are being established from ISA Server itself, which should not cause a problem.
  • Install the firewall client, and then configure a Wspcfg.ini file on the resource that is going to be published. This step can bind the listening port of the internal server to the public interface of ISA Server. This step can work for both internal and external clients.

STATUS

This behavior is by design.

MORE INFORMATION

For additional information about how to use this process, click the article numbers below to view the articles in the Microsoft Knowledge Base:

250510 Hosting Multiple SSL Sites Using Server Proxy in Proxy 2.0

276388 XIMS: How to Configure Exchange 2000 Behind Proxy Server 2.0

Modification Type:MinorLast Reviewed:1/15/2006
Keywords:Kbisa2004yes kbenv kbnetwork kbprb KB296674
©2004 Microsoft Corporation. All rights reserved.