How to enable translating client source address in Server Publishing (311777)

MORE INFORMATION

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
Note On a Windows 2003 server configured with an NLB cluster in the internal and external interfaces with multiple virtual IP addresses on the internal interface, where the following registry value is used, the IP that you use to send traffic to the published server may be one of the virtual IP addresses and not the dedicated IP address. This is typically true when only one IP address is used in the virtual IP address. As a result, the reply traffic is load balanced and may land on a firewall server that does not have context for this traffic. Such traffic does not return to the remote client, so the client does not connect.

To enable the translation of the client source address in server publishing:

1. Obtain and install ISA Server 2000 Service Pack 1. For more information about how to obtain the latest ISA Server service pack, click the following article number to view the article in the Microsoft Knowledge Base:

   313139 How to obtain the latest Internet Security and Acceleration Server 2000 service pack

2. Edit the registry:
   1. Start Registry Editor, locate, and then click the following registry key:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fwsrv\Parameters

   2. On the Edit menu, click Add Value, and then add the following registry value:

      Value name: UseISAAddressInPublishing
      Data type: REG_DWORD
      Radix: Binary
      Value data: 1

   3. Quit Registry Editor.
   4. Restart the Firewall service from the Services tool in Control Panel.

In typical server publishing with ISA Server, incoming packets are received by the Firewall service and the destination address is changed in the new request that is sent to the internal server. The original destination address was the ISA server's external IP address, and the new destination address is the IP address of the internal published server. However, this new packet that was sent from the ISA Server computer to the internal server still has the original source address of the external client where the packet originated.

This requires that the internal server have a default route to the Internet through ISA Server for reply packets to be returned back to the source (after being appropriately translated by ISA Server on the way out). That is, the default gateway of the server being published must route through the ISA Server computer that is performing Server Publishing.

Some large corporate networks do not have default routes out to the Internet, and in those environments, this can be a problem.

A feature has been introduced in ISA Server 2000 Service Pack 1 allows you to set a registry value that causes ISA Server to also replace the source address of these incoming requests so that the packets that are sent to the internal server have the source address of the ISA Server computer. This allows the normal IP routing configuration in these large networks to route these packets back to the ISA Server computer which can then NAT these packets back to the original external host where the request originated.

Note This feature works only if the published protocol does not require an application filter (there were no secondary connections in the protocol) and for publishing FTP and RPC servers (only FTP and RPC application filters have this support).