Microsoft KB Archive/296674

= The SecureNAT Clients Cannot Access the Internal Resources That Are Published by Means of ISA Server =

Article ID: 296674

Article Last Modified on 1/15/2006

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



This article was previously published under Q296674



SYMPTOMS
The secure network address translation (SecureNAT) computer clients cannot access internal resources that are published by means of Internet Security and Acceleration (ISA) Server. These resources are accessible to clients that use the Internet, but the internal (intranet) clients receive a timeout error message.



CAUSE
This behavior can occur when SecureNAT clients attempt to access a published resource by using an Internet name. The name resolves to a public Internet Protocol (IP) address on ISA Server. Then, the SecureNAT clients make a connection to ISA Server on the public interface. ISA Server forwards this request to the publishing server. The request also contains the source address of the client. In this situation, however, the source address is local to the intranet. The publishing server contacts the client directly. The client is expecting the connection to come from ISA Server so the client ignores the direct request from the internal resource.



RESOLUTION
To work around this behavior, use any of the following three methods:
 * Use an internal DNS server, host file, or Windows Internet Name Service (WINS) server to resolve the internal IP of the published resource. Then, the SecureNAT client can contact the resource directly.
 * Install a firewall client. By using the firewall client, the requests from the client are &quot;remoted&quot; to ISA Server. In effect, the connections are being established from ISA Server itself, which should not cause a problem.
 * Install the firewall client, and then configure a Wspcfg.ini file on the resource that is going to be published. This step can bind the listening port of the internal server to the public interface of ISA Server. This step can work for both internal and external clients.



STATUS
This behavior is by design.



MORE INFORMATION
For additional information about how to use this process, click the article numbers below to view the articles in the Microsoft Knowledge Base:

250510 Hosting Multiple SSL Sites Using Server Proxy in Proxy 2.0

276388 XIMS: How to Configure Exchange 2000 Behind Proxy Server 2.0

Additional query words: ssl web

Keywords: kbenv kbnetwork kbprb kbisa2004yes KB296674

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.