FTP Client May Not Work When You Enable IP Routing on a Downstream ISA Server (313356)

SYMPTOMS

When you use a secure Network Address Translation service (NAT) client computer, you may not be able to send or receive data over secondary connections for protocols that allow secondary connections if the support for the connections is provided through a program filter that supports Kernel mode data pump when:

The client's ISA server is a downstream server that uses an upstream ISA to chain to

-and-
IP routing is enabled on the downstream server

RESOLUTION

To resolve this problem, obtain latest service pack for ISA Server 2000. For additional information about the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

MORE INFORMATION

When you enable Internet protocol (IP) routing on an ISA server, the Kernel mode data pump feature is also enabled. This feature provides a significant performance advantage for the data-rich secondary connections by handling the traffic in Kernel mode.

Steps to Reproduce the Problem

To reproduce the problem that is described in the Symptoms section:

Configure the downstream ISA server with FW chaining to the upstream ISA server.
Enable FTP filter on both servers.
Enable IP routing on the downstream server.
Make the client a NAT client of the downstream ISA server.
On the client, run the FTP client and connect to an FTP server that is running on an external network that is upstream of the ISA server.
Log onto the FTP server and try to list the folder contents (with the dir command) or try to transfer a file.