VPN Dial-up Connections Are Not Filtered by ISA Server (313433)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q313433
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

A virtual private network (VPN) dial-up connection from Internet Security and Acceleration (ISA) Server to a remote network is not filtered. This behavior is by design because ISA Server assumes that dial-up VPN connections from ISA Server are always on a trusted network. However, this is not always the case because some public Internet service providers (ISPs) use a VPN connection. This essentially leaves the internal clients open to the Internet because no filtering is being performed on the ISA Server connection.

RESOLUTION

This problem was corrected in Internet Security and Acceleration Server Service Pack 1.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

With ISA Server Service Pack 1 (SP1), packet filtering is applied to dial-up VPN connections. Demand-dial VPN interfaces in Routing and Remote Access remain unfiltered. To disable packet filtering on a dial-up VPN connection with SP1, make the following registry changes:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\FPC

Data type: DWORD
Value name: NoPfOnVpnDialUps
Data value:

1 = No packet filtering on the connection
0 = Packet filtering on the connection (this is the default with SP1)

Modification Type:MajorLast Reviewed:4/23/2003
Keywords:kbenv kbISAServ2000sp1fix kbprb KB313433
©2002 Microsoft Corporation. All rights reserved.