ISA Server 2004 does not support traffic redirection (888042)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2004, Standard Edition
SYMPTOMSConsider the following scenario: - You send TCP traffic from a remote subnet to a computer.
- The remote computer resides on the same subnet as an internal interface of a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004.
When this situation occurs, the response traffic may not be received successfully. This symptom may not occur with User Datagram Protocol (UDP) or Internet Control Message Protocol (ICMP) traffic, depending on the ISA policies that are in effect. CAUSEISA Server 2004 performs stateful filtering, also known as dynamic packet filtering, on all packets received on all interfaces. ISA Server 2004 creates connection objects for each allowed connection. If ISA receives response traffic for which no origination packet was seen, that packet is dropped. This issue occurs in network environments where all the following conditions are true: - There is at least one network behind the ISA local internal subnet. Any such networks are separated from ISA by a router.
- The hosts that are located on the same local subnet as the internal interface of the ISA Server computer have the internal IP address of the ISA Server computer specified as the default gateway.
- Computers in the remote subnet have the IP address of the router that is located between the local subnet and remote subnet specified as their default gateway.
When TCP traffic is sent from a remote subnet client, it is forwarded directly to the computer that is located on the local subnet. When the receiving host responds, it routes this traffic through the ISA Server computer because the ISA internal IP is configured as its default gateway.
ISA Server rejects this response traffic because it has no pre-existing context for this traffic. RESOLUTIONTo resolve this issue, use one of the following methods, depending on your scenario. Method 1 Create default routes on the local internal hosts for all remote internal subnets. For example, if your network is configured like the diagram in this article, follow these steps on the computer where the IP address is 10.0.0.3. Note This command assumes that the 192.168.0. x network uses a subnet mask of 255.255.255.0. - Click Start, click Run, type cmd, and then click OK.
- Type route -p add 192.168.0.0 mask 255.255.255.0 10.0.0.2, and then press ENTER.
Note You must use the -p part of this command so the route additions will persist after the computer is restarted.
Method 2 Specify the local router as the default gateway for the computers that are located on the same subnet as the internal interface of the ISA Server computer. You must also specify the internal interface of the ISA Server computer as the default gateway of the router if you intend to support SecureNAT clients in the remote subnet or in the local subnet. The following diagram gives an example of the scenario where response traffic is blocked by ISA Server:  MORE INFORMATIONBy default, the response traffic is sent successfully in ISA Server 2000 because traffic that is received by the internal interfaces is not filtered. This behavior lets incomplete TCP traffic to be rerouted by the Remote Access service that is running on the ISA Server computer.
Because ISA Server 2004 applies stateful filtering to traffic that is seen by all logical and physical networks that are attached to the ISA Server computer, this is no longer possible.
| Modification Type: | Major | Last Reviewed: | 11/25/2004 |
|---|
| Keywords: | kbFirewall kbtshoot kbprb KB888042 kbAudITPRO |
|---|
|