ISA Server Firewall Chaining Can Cause Problems with FTP Access (313343)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q313343

SYMPTOMS

Application filter functions allow the filters to specify the destination IP address for which a packet filter opens a secondary connection. The FTP application filter uses this functionality to open packet filters only for the IP address of the destination FTP server. This works correctly unless you are using firewall chaining. If you are using firewall chaining, packets that are received on the external network adapter of the downstream Internet Security and Acceleration (ISA) Server-based computer have a source IP address that is not of the FTP server, but is of the internal IP address of the upstream ISA Server-based computer. Therefore, ISA Server drops the packets.

RESOLUTION

To resolve this problem, obtain latest service pack for ISA Server 2000. For additional information about the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was corrected in ISA Server 2000 SP1.
Modification Type:MajorLast Reviewed:2/4/2002
Keywords:kbenv kbISAServ2000sp1fix kbprb KB313343
©2002 Microsoft Corporation. All rights reserved.