Firewall clients cannot connect to external locations by using a Winsock program through an upstream computer that is running ISA Server 2004 (837575)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition
For a Microsoft Internet Security and Acceleration Server 2000 version of this article, see 275234.

SYMPTOMS

Computers that are running the Microsoft Firewall Client program can access external Web sites by using a Web browser program. However, they cannot connect to external locations by using other Winsock programs.

CAUSE

This issue may occur if all the following conditions are true:
  • The client computers access the Internet through chained Microsoft Internet Security and Acceleration (ISA) Server computers.
  • All Internet access for the client computers is provided by the upstream ISA Server computer.
  • No direct connection exists between the client computers and the upstream ISA Server computer that provides Internet access.
This issue occurs if only the routing rules have been configured between the ISA Server computers. You must configure firewall service chaining (Winsock proxy chaining) and specify the upstream server.

RESOLUTION

To resolve this issue, configure firewall service chaining (Winsock proxy chaining) between the ISA Server computers. To do this, follow these steps:
  1. Start the ISA Server Management tool, and then connect to the downstream ISA Server computer if you are not already connected to it.
  2. Expand ServerName, where ServerName is the name of your ISA Server computer.
  3. Expand Configuration, and then click General.
  4. On the General tab, click Configure Firewall Chaining.
  5. Configure the firewall chaining information, and then click OK.

    Note For additional information about each of the items in the Firewall Chaining dialog box, search on "Configure firewall chaining" in ISA Server 2004 Help.
  6. Click Apply to save your changes and to update the firewall policy, and then click OK.

MORE INFORMATION

The firewall chaining functionality configures the ISA Server computer to behave as a firewall client to the upstream ISA Server computer. In ISA Server, routing rules and all the configuration settings apply only to Web browser proxy requests. You must also configure firewall service chaining and specify the upstream ISA Server computer.
Modification Type:MajorLast Reviewed:7/16/2004
Keywords:kbFirewall kbenv kbprb KB837575 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.