Cannot connect to a published service from the external network when the published service is running directly on the ISA Server 2004 computer (838376)

CAUSE

This behavior occurs if all the following conditions are true:

• The service that you publish is running directly on the ISA Server computer. You configure the Internet Protocol (IP) address that appears on the To tab in the properties of the server publishing rule to use a local IP address of the ISA Server.
• Network address translation (NAT) is used between the address that appears on the To tab in the properties of the server publishing rule and the source that is specified on the From tab in the properties of the server publishing rule. The server publishing rule publishes one IP address of the ISA Server computer, and redirects to another local IP address.
• The service that you publish uses a User Datagram Protocol (UDP) protocol definition.
• The service process binds to the IP address 0.0.0.0, and not to the specific local IP address that is specified on the To tab in the properties of the server publishing rule.
• If you right-click the server publishing rule, click Properties, and then click the To tab, the Requests appear to come from the original client option is selected.

If all these conditions are true, when the published service sends a reply packet to the client, the TCP/IP stack chooses the local IP address for the reply according to the route to the client address. This behavior occurs because the socket is bound to address 0.0.0.0. Because the route to the client address is the publishing rule listener address, the local address that is chosen is different from the local address of the original request that the service received. (The local address of the original request was the IP address that is specified on the To tab in the properties of the server publishing rule.) Therefore, the state in the driver does not match this traffic, and the traffic is dropped.