Microsoft KB Archive/838374

= Interoperability of Routing and Remote Access and Internet Security and Acceleration Server 2004 =

Article ID: 838374

Article Last Modified on 7/16/2004

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





INTRODUCTION
If you install Microsoft Internet Security and Acceleration (ISA) Server 2004 on a computer that is running Microsoft Windows 2000 Server or Microsoft Windows Server 2003, ISA Server takes control of the Routing and Remote Access service configuration. For example, if you configure a virtual private network (VPN) through the ISA Server Management snap-in, ISA Server 2004 automatically configures the settings in Routing and Remote Access. This helps avoid conflicts because settings that you configure by using the ISA Server Management snap-in are also applied to Routing and Remote Access. There are some Routing and Remote Access parameters, such as the Routing and Remote Access tracing level, that are not available through the ISA Server Management snap-in. These parameters can be set directly through Routing and Remote Access.



ISA Server 2004 and Routing and Remote Access interoperability
ISA Server 2004 depends on and enhances the basic VPN functionality that the Routing and Remote Access service provides. While you can perform most VPN configuration using the ISA Server Management snap-in, you can also configure some advanced settings using Routing and Remote Access. If you do use Routing and Remote Access to configure VPN settings, you must be careful not to override specific settings that must be configured only in ISA Server. In particular, note the following:
 * If you use Routing and Remote Access to enable network address translation (NAT), some ISA Server features may not function correctly.
 * Do not use Routing and Remote Access to enable or to disable Internet Protocol (IP) routing. ISA Server always synchronizes with the Routing and Remote Access settings, but the Routing and Remote Access service does not check to verify how ISA Server configures IP routing functionality. However, you can use Routing and Remote Access to configure the routing table.
 * Any packet filters that you configure using Routing and Remote Access are never applied.
 * Because the Routing and Remote Access packet filters are disabled, Routing and Remote Access quarantine mode is rendered useless. Instead, use ISA Server 2004 quarantine functionality. For more information about ISA Server 2004 quarantine functionality, in the ISA Server Management console, click Help on the Action menu, type quarantine in the Type in the word(s) to search for box, and then click List Topics to view the list of topics returned.

Microsoft ISA Server 2000 Routing and Remote Access upgrade
If you install ISA Server 2004 on a computer that is running ISA Server 2000, you can upgrade the Routing and Remote Access configuration. Note the following limitations to the Routing and Remote Access configuration upgrade:
 * The maximum number of VPN clients that is permitted to connect to the ISA Server 2004 computer is set to whichever is larger in Routing and Remote Access: the number of Point-to-Point tunneling protocol (PPTP) ports or the number of Layer 2 Tunneling Protocol (L2TP) ports.
 * If the number of IP addresses that are statically assigned is smaller than the number of VPN clients, ISA Server 2004 reduces the number of VPN clients to fit the size of the static address pool. In this scenario you receive a warning message during the Routing and Remote Access upgrade process.
 * If an invalid IP address is configured for the primary Domain Name System (DNS) server, the IP address is not exported. Instead, ISA Server 2004 uses the Dynamic Host Configuration Protocol (DHCP) settings, and issues a warning message. If an invalid IP address is configured for the backup DNS server, the IP address is not exported and ISA Server issues a warning message.
 * If an invalid IP address is configured for the primary Windows Internet Name Service (WINS) server, the IP address is not exported. Instead, ISA Server 2004 uses the DHCP settings, and issues a warning message. If an invalid IP address is configured for the backup WINS server, the IP address is not exported and ISA Server issues a warning message.
 * If a site-to-site connection in Routing and Remote Access is configured as PPTP first, and then L2TP, the connection is upgraded to an ISA Server 2004 remote site network that uses PPTP only. In this case, ISA issues a warning message.
 * If a site-to-site connection in Routing and Remote Access is configured as L2TP first, and then PPTP, the connection is upgraded to an ISA Server 2004 remote site network that uses L2TP only. In this case, ISA Server issues a warning message.
 * Preshared keys that are configured for Routing and Remote Access are not exported. For example, preshared keys that are configured for site-to-site connections in Routing and Remote Access are not exported. In this case, ISA Server 2004 issues a warning message.
 * Credentials that are configured for site-to-site connections in Routing and Remote Access are not exported. On ISA Server 2004, outgoing VPN connections are disabled until you reconfigure them. In this case, ISA Server issues a warning message.

Keywords: kbinfo kbfirewall KB838374

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.