Microsoft KB Archive/838379

= ISA Server 2004 firewall clients that use IPSec in the internal network cannot access external networks =

Article ID: 838379

Article Last Modified on 7/16/2004

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





SYMPTOMS
If the following conditions are true, computers that use the Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall client on an internal network cannot access the external network:
 * You are using IPSec to encrypt data in the internal network.
 * You are using Network Address Translation (NAT) on the ISA Server 2004-based server so internal clients can connect to an external network.



WORKAROUND
To work around this behavior, turn off IP routing on the ISA Server 2004-based server. To do this, follow these steps:
 * 1) Click Start, point to Programs, point to Microsoft ISA Server, and then click ISA Server Management.
 * 2) In the ISA Server 2004 Management console, expand.
 * 3) Expand Configuration, and then click General.
 * 4) In the right pane of the ISA Server 2004 Management console, click Define IP Preferences under Additional Security Policy.
 * 5) In the IP Preferences box, click the IP Routing tab.
 * 6) Click to clear the Enable IP routing check box, and then click OK.



STATUS
This behavior is by design.



MORE INFORMATION
Although IP routing improves network performance, you may want to turn off IP routing to help improve network security.

Keywords: kbprb KB838379

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.