Article ID: 912633
Article Last Modified on 12/4/2007
APPLIES TO
- Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
- Microsoft Internet Security and Acceleration Server 2004 Standard Edition
SYMPTOMS
You create an access rule in Microsoft Internet Security and Acceleration (ISA) Server 2004 that applies to a protocol that is bound to an application filter. For example, you create an access rule that applies to File Transfer Protocol (FTP) or Real Time Streaming Protocol (RTSP). The access rule destination uses domain name sets. However, clients may not be able to connect to the destination sites that are specified in the domain name sets.
CAUSE
Protocols such as FTP and RTSP use secondary connections to transfer data. When the primary connection indicates that it is about to open a secondary connection, the protocol's application filter calls the BindForClient method in ISA Server 2004. Before the BindForClient method lets the traffic pass, the BindForClient method checks that this traffic is allowed. However, the BindForClient method neglects to check the domain name sets. Therefore, the connection is denied.
RESOLUTION
To resolve this problem, obtain the latest service pack for ISA Server 2004. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
891024 How to obtain the latest ISA Server 2004 service pack
WORKAROUND
To work around this issue, specify the access rule's destination by using network objects that specify IP addresses. For example, use networks, network sets, computers, computer sets, address ranges, or subnets.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in ISA Server 2004 Service Pack 2.
Keywords: kbtshoot kbprb KB912633
