Microsoft KB Archive/886995

= An IPSec policy is not applied to internal translated network traffic when you use ISA Server 2004 =

Article ID: 886995

Article Last Modified on 11/7/2004

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-





SYMPTOMS
When you use Microsoft Internet Security and Acceleration (ISA) Server 2004 to perform network address translation (NAT), an Internet Protocol security (IPSec) policy that is set through Group Policy is not applied to traffic after the traffic is translated. For example, IPSec policy is not applied in the following scenario:
 * 1) There is an IPSec policy defined for traffic between an internal host and the ISA Server 2004-based computer that is performing NAT.
 * 2) Traffic from an external host or a virtual private network (VPN) client is received by the ISA Server 2004-based computer, and is then translated by using NAT before it is sent to the internal host.

In this scenario, the traffic that is sent from the ISA Server 2004-based computer to the internal host has no IPSec encapsulation.



CAUSE
This issue occurs if all the following conditions are true:
 * Your ISA Server 2004-based computer is configured to perform NAT.
 * The IPSec policy applies to internal traffic.
 * IP routing is enabled on your ISA Server 2004-based computer. Therefore, connections through ISA Server 2004 are subject to the kernel mode data pump process.

In this scenario, because of the underlying architecture of IPSec and of network address translation, the translated traffic is not processed by the IPSec driver.



WORKAROUND
To work around this issue, disable IP routing on your ISA Server 2004-based computer. To disable IP routing, follow these steps:

Note If you disable IP routing, ISA Server 2004 performance may decrease.
 * 1) Start the ISA Server Management tool. To do this, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
 * 2) Expand  , expand Configuration, and then click General.
 * 3) Under Additional Security Policy, click Define IP Preferences.
 * 4) Click the IP Routing tab.
 * 5) Click to clear the Enable IP routing check box, click Apply, and then click OK.
 * 6) Click Apply to save your changes and to update the configuration.

Keywords: kbtshoot kbfirewall kbprb KB886995

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.