All Requests from SecureNAT and Firewall Clients Are Denied (297515)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q297515
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

All requests from internal Secure Network Address Translation (SecureNAT) or Firewall client computers may be denied by Internet Security and Acceleration (ISA) Server 2000, regardless of the protocol that you are using. However, if you configure your Web browser to use the Web Proxy service, you may be able to connect to either Hypertext Transfer Protocol (HTTP) or File Transfer Protocol ( FTP) sites. If you configure an HTTP redirector filter to use the Redirect to local Web Proxy service setting, you may also be able to use either a SecureNAT or a Firewall client to connect to HTTP sites

CAUSE

This problem can occur if you create a Site and Content Allow rule, and you use the Selected content groups setting instead of the All content groups setting (the default setting).

Site and Content rules that only allow selected content groups apply only to traffic that is processed by the Web Proxy service. Because the Site and Content Allow rule does not apply to all content groups, traffic coming from SecureNAT or Firewall clients is denied.

RESOLUTION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this problem:
  1. Obtain the latest service pack for ISA Server 2000.For additional information about how to obtain the latest service pack for ISA Server 2000, click the article number below to view the article in the Microsoft Knowledge Base:

    313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

  2. Stop the Firewall service.
  3. Start Registry Editor (Regedt32.exe).
  4. Locate and click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fwsrv\Parameters

  5. On the Edit menu, point to New, and then click DWORD Value.
  6. Double-click the new value that you created in step 4, type IgnoreContentTypeIfNotApplicable in the Value name box, and then type 1 in the Value data box.
  7. Start the Firewall service.
To revert to the original configuration, either remove the IgnoreContentTypeIfNotApplicable registry value or set the value to 0. After you make either of these changes, restart the Firewall service.

When you configure the IgnoreContentTypeIfNotApplicable registry value, the ISA Server rules engine matches Site and Content Allow rules that only allow selected content groups to Firewall service requests that do not have Content-Type properties.

WORKAROUND

If you do not install SP1 and you want to use a Site and Content rule to restrict certain content groups, but you want to allow traffic from SecureNAT or Firewall clients, create a Site and Content Deny rule logic that denies the content groups that you do not want to allow through the Web Proxy service.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was corrected in ISA Server 2000.
Modification Type:MajorLast Reviewed:10/16/2002
Keywords:kbISAServ2000sp1fix kbprb kbQFE KB297515
©2002 Microsoft Corporation. All rights reserved.