How to enable the translation of the client source address in an ISA Server 2004 server publishing rule (838112)

INTRODUCTION

This article describes how to enable the translation of the client source address in a Microsoft Internet Security and Acceleration (ISA) Server 2004 server publishing rule. You can configure a server publishing rule so that the Internet Protocol (IP) address of the client that makes the request appears to be the ISA Server computer.

Note Translation of the client source address permits server publishing to work correctly when you use Network Load Balancing on the external interface of the ISA Server computer. Without this change, server publishing is not supported when you use Network Load Balancing on the external interface.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

288574 Cannot perform load balancing with Network Load Balancing and Server Publishing enabled

MORE INFORMATION

In typical ISA Server 2004 server publishing, when the Microsoft Firewall service receives incoming packets that are destined for an internal server, ISA Server changes the destination address in the request that is forwarded to the internal server. ISA Server changes the original destination address from the external IP address of the ISA Server computer to the IP address of the internal published server. However, the new packet that the ISA Server computer sends to the internal server still has the original source address of the external client where the packet originated. Therefore, without any ISA Server configuration change, the internal server must have a default route that is configured to the Internet through the ISA Server computer to return reply packets back to the source. Because some large corporate networks do not have default routes out to the Internet, this configuration can be a problem.

If you turn on the Requests appear to come from the ISA Server computer setting, the ISA Server computer also replaces the source address of the incoming request so the packets that are sent to the internal server have the source address of the ISA Server computer. This permits the IP routing configuration in these large networks to route the packets back to the ISA Server computer. The ISA Server can then use network address translation (NAT) to send the packets back to the original external host where the request originated.

Note The Requests appear to come from the ISA Server computer feature works only if the published protocol does not require an application filter. In other words, the feature works correctly if there are no secondary connections that are defined for the protocol. An exception to this rule occurs when you publish FTP and RPC servers that have application filters. FTP and RPC application filters support the Requests appear to come from the ISA Server computer feature.

To enable the translation of the client source address in a server publishing rule, follow these steps:

Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
In the left pane, expand ServerName, where ServerName is the name of your ISA Server computer, and then click Firewall Policy.
Right-click the server publishing rule that you want to modify, click Properties, and then click the To tab.
In the Requests for the published server section, under Specify how ISA Server forwards requests to the published server, click Requests appear to come from the ISA Server computer, and then click OK.

For more information, click Help on the Action menu in the ISA Server Management snap-in, type publishing rule configuration in the Type in the word(s) to search for box, click List Topics, and then click the Request forwarding topic.