An IPSec policy is not applied to internal translated network traffic when you use ISA Server 2004 (886995)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2004, Standard Edition

SYMPTOMS

When you use Microsoft Internet Security and Acceleration (ISA) Server 2004 to perform network address translation (NAT), an Internet Protocol security (IPSec) policy that is set through Group Policy is not applied to traffic after the traffic is translated. For example, IPSec policy is not applied in the following scenario:
  1. There is an IPSec policy defined for traffic between an internal host and the ISA Server 2004-based computer that is performing NAT.
  2. Traffic from an external host or a virtual private network (VPN) client is received by the ISA Server 2004-based computer, and is then translated by using NAT before it is sent to the internal host.
In this scenario, the traffic that is sent from the ISA Server 2004-based computer to the internal host has no IPSec encapsulation.

CAUSE

This issue occurs if all the following conditions are true:
  • Your ISA Server 2004-based computer is configured to perform NAT.
  • The IPSec policy applies to internal traffic.
  • IP routing is enabled on your ISA Server 2004-based computer. Therefore, connections through ISA Server 2004 are subject to the kernel mode data pump process.
In this scenario, because of the underlying architecture of IPSec and of network address translation, the translated traffic is not processed by the IPSec driver.

WORKAROUND

To work around this issue, disable IP routing on your ISA Server 2004-based computer. To disable IP routing, follow these steps:

Note If you disable IP routing, ISA Server 2004 performance may decrease.
  1. Start the ISA Server Management tool. To do this, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. Expand your ISA Server 2004-based computer name, expand Configuration, and then click General.
  3. Under Additional Security Policy, click Define IP Preferences.
  4. Click the IP Routing tab.
  5. Click to clear the Enable IP routing check box, click Apply, and then click OK.
  6. Click Apply to save your changes and to update the configuration.
Modification Type:MajorLast Reviewed:11/7/2004
Keywords:kbtshoot kbFirewall kbprb KB886995 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.