ISA Server 2004 firewall clients that use IPSec in the internal network cannot access external networks (838379)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition

SYMPTOMS

If the following conditions are true, computers that use the Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall client on an internal network cannot access the external network:
  • You are using IPSec to encrypt data in the internal network.
  • You are using Network Address Translation (NAT) on the ISA Server 2004-based server so internal clients can connect to an external network.

WORKAROUND

To work around this behavior, turn off IP routing on the ISA Server 2004-based server. To do this, follow these steps:
  1. Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. In the ISA Server 2004 Management console, expand ISA Server 2004-based server.
  3. Expand Configuration, and then click General.
  4. In the right pane of the ISA Server 2004 Management console, click Define IP Preferences under Additional Security Policy.
  5. In the IP Preferences box, click the IP Routing tab.
  6. Click to clear the Enable IP routing check box, and then click OK.

STATUS

This behavior is by design.

MORE INFORMATION

Although IP routing improves network performance, you may want to turn off IP routing to help improve network security.
Modification Type:MajorLast Reviewed:7/16/2004
Keywords:kbprb KB838379 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.