ISA Server 2004, 2006, and Forefront TMG do not support traffic redirection

[patris1]

کد:

http://support.microsoft.com/default.aspx?scid=kb;en-us;888042

This article discusses how to troubleshoot an issue that occurs when a client computer on a remote subnet sends TCP traffic to another internal computer.

When a client computer that is behind Microsoft Internet Security and Acceleration (ISA) Server 2004, Microsoft ISA Server 2006, or Microsoft Forefront Threat Management Gateway, Medium Business Edition sends traffic to another internal computer, the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer may drop the traffic.

This behavior occurs when TCP packets in one direction follow a route that does not involve ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition, and TCP packets in the other direction follow a route that does involve ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition.

For example, consider a client computer on a remote subnet that is behind an internal network. In this case, the remote subnet is separated from the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer by a router. When the client computer sends a packet to another client computer that is located on the internal network, the traffic is forwarded directly to the computer on the internal network.

When the client computer on the internal network responds, the packet is routed through ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition because this computer has the IP address of the internal network defined as its default gateway. ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition has no route back to the remote subnet. Therefore, the source IP address is identified as spoofed.

This issue occurs even when the server has valid routes to both source and destination subnets. In this situation, the TCP connection request (SYN) from the client to the server bypasses ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition. However, the SYN-ACK packet is routed to the server and dropped with a TCP_NOT_SYN_PACKET error. In short, both sides of a TCP session must go through the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer.

This behavior may not occur with User Datagram Protocol (UDP) traffic, or Internet Control Message Protocol (ICMP) traffic.

For more information about how to troubleshoot this issue and other network configuration issues, visit the following Microsoft Web site:Troubleshooting Network Configuration in ISA Server 2004 (Troubleshooting Network Configuration in ISA Server 2004)
For more information about how to configure ISA Server 2004 networks, visit the following Microsoft Web site:Best Practices for Configuring Networks in ISA Server 2004 (Best Practices for Configuring Networks in ISA Server 2004)

APPLIES TO

• Microsoft Internet Security and Acceleration Server 2006 Standard Edition
• Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
• Microsoft Internet Security and Acceleration Server 2004 Standard Edition
• Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
• Microsoft Forefront Threat Management Gateway, Medium Business Edition

---

موضوعات مشابه:

• درخواست کرک برای نسخه Bandwidth Splitter v.1.39 for ISA Server 2000/2004/2006 and Forefront TMG 2010
• ISA Server 2004, 2006, and Microsoft Forefront TMG, do not support traffic redirection
• ISA 2004/2006 بهتره یا ForeFront و چرا ؟
• Redirection to OWA 2007 Directory in ISA 2004/2006

---

[patris1]

کد:

http://technet.microsoft.com/de-de/library/cc302656%28en-us%29.aspx

Microsoft Internet Security and Acceleration (ISA) Server 2004 introduces a multi-networking model that allows you to control traffic between internal and external networks, and within your organization by means of firewall policy rules. You define network objects in ISA Server Management, and configure relationships to specify whether traffic should be routed between them, or have network address translation (NAT) applied. Networks objects you define are used as source and destination elements in access rules you configure to specify what traffic is allowed or denied between networks in your infrastructure. The general process can be summarized as follows:

• Create network objects, or modify ISA Server predefined network objects. Network objects you can define include networks (a range of Internet Protocol (IP) addresses), network sets (set of networks), computers, computer sets, address ranges (set of contiguous IP addresses), subnets, Uniform Resource Locator (URL) sets, and domain name sets.
• Create network rules to configure how traffic is passed between networks in your organization. ISA Server checks network rules to determine whether source and destination networks are allowed to connect, and if so, whether traffic requests should be routed or have NAT applied.
• Create firewall policy rules to expose traffic between networks to stateful filtering and application layer traffic inspection. Traffic is allowed or denied based on the parameters in the rules you create.

For more information about configuring ISA Server networks, see Best Practices for Configuring Networks in ISA Server 2004 at the ISA Server Configuration and Administration Web site.
This document describes a number of common issues you might encounter when configuring networks in ISA Server 2004, and provides recommendations for problem solving or workarounds.


Local Host Network Configured but Internal Clients Have No Internet Access
Internet Access Fails After Installing ISA Server on a Computer Running Windows Small Business Server
Multiple External Interfaces on the ISA Server Computer Needed
Client Connections from a Remote Subnet Denied
ISA Server Detected a Spoof Attack
ISA Server Detected Routes Through Network Adapter Adapter_Name That Do Not Correlate with the Network Element to Which This Adapter Belongs
Intra-Domain Communication from Perimeter Networks Needed
Clients Always Use the Primary IP Address and a Mail Exchanger Record Cannot Be Located
Server Publishing Does Not Work When ISA Server Is Configured on a Computer with a Single Network Adapter
Clients Have No Internet Access Through ISA Server with a Single Network Adapter
Adapters Need to Be Added to ISA Server on a Computer with a Single Network Adapter
Traffic Not Routing Between Networks
DHCP-Assigned IP Address Cannot Be Obtained on an ISA Server External Network Adapter
Internal Clients Cannot Obtain a DHCP Address from ISA Server Running DHCP
Clients in a Perimeter Network Cannot Access Resources in the Internal Network or the Internet
No Access for VPN Clients from a Custom External Network
Unable to Access Hosts on Defined Networks
No Traffic Flowing Through the VPN Tunnel
Perimeter Network Configuration Not Working as Expected with Two Network Adapters

Local Host Network Configured but Internal Clients Have No Internet Access
Problem: The Local Host network (ISA Server computer) is configured to allow Web Proxy client requests, and traffic is allowed to the External network, but internal clients have no Internet access.
Cause: The Local Host network represents the ISA Server computer. To allow internal clients Internet access, you must allow traffic between the network in which the clients are located (usually the Internal network) and the External network. Following installation, there is a predefined system policy rule allowing the Local Host network to connect to all networks. No such default rule exists to allow traffic from the Internal network.
Solution: Configure an access rule to allow Hypertext Transfer Protocol (HTTP) access from the network in which clients are located (usually the Internal network) to the External network. Then enable Web proxy access on the network.


Internet Access Fails After Installing ISA Server on a Computer Running Windows Small Business Server
Problem: After installing ISA Server 2004 on a computer running Microsoft Windows Small Business Server 2003 (Windows SBS) server software, communication from internal networks does not work as expected.
Cause: By default following installation, ISA Server 2004 blocks all traffic to and from the ISA Server computer. The ISA Server computer is represented by the Local Host network.
Solution: Create access rules to allow traffic from the Internal network to the ISA Server computer (Local Host network), and vice versa.


Multiple External Interfaces on the ISA Server Computer Needed
Problem: Multiple external connections to the Internet are needed for ISA Server. For example, you need to use one Internet connection for sending mail only, and you need a separate external connection to the Internet for user browsing.
Cause: ISA Server does not support configuring multiple connections on the External network adapter.
Solution: No workaround. There are a number of third-party products that may provide a solution. For more information, see High Availability and Load Balancing on the Partners page at the ISA Server Web site.


Client Connections from a Remote Subnet Denied
Problem: A client computer protected by ISA Server sends traffic to another internal computer, and ISA Server drops the traffic. This may not occur with User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) traffic.
Cause: This issue may occur when packets in one direction go through a route that does not involve ISA Server, and packets in the other direction go through ISA Server. This is illustrated in the following scenario:

• There is a remote subnet behind the Internal network, and the remote subnet is separated from the ISA Server computer by a router.
• A client computer on the remote subnet sends a packet to a client computer on the Internal network. Traffic is forwarded directly to the computer on the Internal network.
• The client in the Internal network responds, and the packet is routed through ISA Server because this computer has the IP address of the ISA Server Internal network defined as its default gateway.
• ISA Server has no route back to the remote subnet. It does not see the source IP address as valid, and this triggers the spoof response.

This is illustrated in Figure 1.

Figure 1: Communication session
Solution: You can use either of the following methods to work around this issue:

• Create default routes on the local internal hosts for all remote internal subnets. For example, if your network is configured as illustrated in Figure 1, follow these steps on the computer where the IP address is 10.0.0.3:
  
  1. Click Start, click Run, type cmd, and then click OK.
  2. Type route -p add 192.168.0.0 mask 255.255.255.0 10.0.0.2. Then press the Enter key.
  
  You must type the -p switch so that route additions are persistent after a computer restart. The ROUTE ADD command syntax is as follows: ROUTE –P ADD destination_address MASK subnet_mask default_gateway. This example assumes that the 192.168.0.x network uses a subnet mask of 255.255.0.0.
• Specify the local routers as the default gateway for computers located on the same subnet as the ISA Server internal interface. If you want to support requests from SecureNAT clients in the remote subnet or local subnet, specify the internal ISA Server interface as the default gateway of the router.

ISA Server Detected a Spoof Attack
Problem: ISA Server responds with the following IP spoofing message:

• Event 15108: ISA Server detected a spoof attack from Internet Protocol (IP) address IP_address, when trying to access a network resource.

This event might also appear:

• Event 14147: ISA Server detected routes through network adapter adapter_name that do not correlate with the network element to which this adapter belongs.

Cause: One of the most common causes of this issue is that two network adapters are associated with the same network. When you define IP address ranges for a network, ISA Server checks all network adapters. When an adapter with an IP address in a network's range is found, the adapter is associated with that network.
In a network that has a subnet accessible by ISA Server through routers, ISA Server checks if the subnet ranges are also included in a network object definition. If you define a separate network object for such subnets, ISA Server will try to locate an adapter with an IP address of the network object, and fail. ISA Server assumes that the adapter is not available (disconnected or disabled), and sets network object status to disconnected.
Solution: For a specific solution to event 15108, see the Knowledge Base article 840681, "Attempts to access published resources are logged as spoof attacks with event ID 15108 in ISA Server 2000." In addition, follow these best practices when defining your network configuration in ISA Server:

• Include all network ranges for subnets in a network object's properties. (For example, if your Internal network includes routed subnets, include the IP addresses of the remote subnets in the IP address definition of the Internal network.)
• If you need to create access rules between routed subnets not associated with a network adapter, create subnet objects on the Toolbox tab in ISA Server Management. Then create access rules using these objects as source or destination networks.

ISA Server Detected Routes Through Network Adapter Adapter_Name That Do Not Correlate with the Network Element to Which This Adapter Belongs
Problem: ISA Server is logging Event 14147: ISA Server detected routes through adapter adapter_name that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: ip_range.
This indicates that routes not associated with a network object were detected.
Cause: ISA Server uses the route table and route entries associated with a network interface to understand the network topology. This event is issued when there is a mismatch between the routing table and the IP address ranges associated with an ISA Server network object.
Solution: Troubleshoot this issue by checking the following:

• Check that the same IP addresses are not configured in more than one network.
• Verify that the IP address range is configured correctly for the network object. You can reconfigure the network object by removing the IP address ranges associated with it, and then using Add Adapter to select the specific adapter you want to associate with the network.
• If IP addresses are not configured correctly after using Add Adapter, check that the routing table is configured correctly. In particular, if there are any remote subnets connected to the network associated with the adapter, check the following:
• Static routes are defined to reach the remote subnet.
• The ISA Server network definition includes the IP address range of the remote subnet.

For more information, see the Knowledge Base article 884496, "Client computers cannot access external resources, and event ID 14147 appears in the Application log in ISA Server 2004."


Intra-Domain Communication from Perimeter Networks Needed
Problem: Intra-domain communication is not configured between networks so that a Web server (member of internal domain) in the perimeter network can contact the domain controller situated in the Internal network.
Cause: Network rules and access rules need to be configured between the perimeter network and other network objects to allow access.
Solution: To enable the perimeter Web server to contact a domain controller in the Internal network, configure the following:

• A network rule specifying a route relationship between the two networks.
• An access rule with the Web server in the perimeter network as the source network, and the domain controller in the Internal network as the destination network.

For more information, see the following:

• Allowing Intradomain Communications through the ISA Firewall (2004) at the ISAServer.org Web site
• Knowledge Base article 179442, "How to configure a firewall for domains and trusts"
• Knowledge Base article 274438, "Cannot Use Kerberos Trust Relationships Between Two Forests in Windows 2000"
• Windows Server 2003 Trust Enhancements at the Microsoft TechNet Web site

Clients Always Use the Primary IP Address and a Mail Exchanger Record Cannot Be Located
Problem: Outgoing e-mail messages through ISA Server are rejected.
Cause: When applying NAT to client requests to remote destinations, ISA Server calculates the IP address of the adapter to be used based on the TCP/IP routing mechanism (routing table). The address chosen is the same address that would be used if ISA Server tried to create a connection (for example, a TCP connection) with the server downstream. Generally, this is the primary IP address, where the primary IP address is the first address bound to the adapter interface (the default IP address). All other addresses are secondary. This may be problematic in some Simple Mail Transfer Protocol (SMTP) scenarios. When receiving mail, servers do a reverse lookup before accepting mail. E-mail messages may be rejected if the primary IP address cannot be located in a mail exchanger (MX) record for the domain. This can occur when you have multiple mail servers with different MX records registered.
Note that this issue does not affect mail sent by Internet mail servers to your domain. In this case, a mail server doing a lookup finds the MX record and the external IP address on which SMTP is published. The e-mail message arrives at the ISA Server computer and is forwarded to the mail server.
Solution: Where there is a NAT relationship defined between networks, there is no workaround. You cannot configure one-to-one NAT as you can in server publishing. Instead, you must assign the IP address on the MX record as the primary IP address on the external network adapter. As an alternative, you can configure a route relationship between the mail servers and the External network, if appropriate. Remember that in a route relationship, internal IP addresses are not hidden as they are in a NAT relationship.


Server Publishing Does Not Work When ISA Server Is Configured on a Computer with a Single Network Adapter
Problem: Server publishing is not working when ISA Server is installed with a single network adapter.
Cause:Server publishing is not supported when ISA Server is configured with a single network adapter. In this configuration, ISA Server recognizes only the Internal network. There is no separation of Internal and External networks, and ISA Server cannot provide the NAT functionality required in a server publishing scenario.
Solution: Use Web publishing rules where appropriate, or install another network adapter.
For a discussion of best practices, supported scenarios, and limitations when running ISA Server with a single network adapter, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the Microsoft TechNet Web site. See also ISA Server online Help.


Clients Have No Internet Access Through ISA Server with a Single Network Adapter
Problem: Internal clients are denied access to the Internet by the default deny rule, even though network rules and access rules are configured between the Internal and External networks to allow access.
Cause: ISA Server with a single network adapter recognizes only the Internal network.
Solution: If ISA Server is installed on a single adapter computer, ensure the following:

1. Apply the Single Network Adapter network template. You can apply templates from the Networks tab of the Configuration node in ISA Server Management.
2. Define access rules between the Internal network and the Internal network.

Adapters Need to Be Added to ISA Server on a Computer with a Single Network Adapter
Problem: The ISA Server computer has a single adapter, and you want to use some ISA Server features that require another adapter.
Cause: More than one adapter is needed.
Solution: Physically add other adapters, and then run the suitable template wizard. For example, if you have added an additional network adapter, you can configure ISA Server with the Edge Firewall network template, the Front Firewall network template, or the Back Firewall network template. If you have added two additional network adapters to set up a perimeter scenario, you can configure the 3-Leg Perimeter network template. For more information, see the topic Network Templates in ISA Server online Help.


Traffic Not Routing Between Networks
Problem: Network rules with a route relationship are configured and access rules allow traffic, but traffic is not routed between two network objects, and PING fails.
Cause: This may occur if network rules are incorrectly configured, or IP addresses are not defined properly for network objects.
Solution: Check the following:

• Check that a network rule exists between the two objects and is correctly configured.
• Ensure that the IP addresses defined in the network objects between which you want to route are not included in definitions of any other network objects.
• Ensure that the network object contains the addresses of all remote subnets that can be reached from the adapter associated with the network object.
• Check hardware configuration and settings.

DHCP-Assigned IP Address Cannot Be Obtained on an ISA Server External Network Adapter
Problem: ISA Server cannot obtain a Dynamic Host Configuration Protocol (DHCP)-assigned IP address on the external interface.
Cause: ISA Server uses system policy rules to control traffic from the ISA Server computer (Local Host network). If DHCP traffic is not enabled, ISA Server will not be able to obtain a DHCP-assigned IP address.
Solution: Enable the DHCP system policy rule: Allow DHCP replies from DHCP servers to ISA Server. You can specify the External network in the rule or preferably the specific IP address of the external DHCP. For more information, see the Knowledge Base article 841141, "The external network adapter on your ISA Server 2004 computer cannot obtain a valid IP address from a DHCP server."


Internal Clients Cannot Obtain a DHCP Address from ISA Server Running DHCP
Problem: Internal clients cannot obtain a DHCP address. The DHCP server is located with ISA Server.
Cause: The Internal network object does not include the broadcast address from the Internal network IP address range.
Solution: Add the broadcast address to the Internal network definition. Ensure that there is a protocol and rule allowing DHCP requests and replies for the Local Host and Internal networks. For more information about locating DHCP with ISA Server, see Configuring the ISA Server Computer as a DHCP Server at the Microsoft TechNet Web site.


Clients in a Perimeter Network Cannot Access Resources in the Internal Network or the Internet
Problem: Clients located in a perimeter network cannot access resources in the Internal network or browse the Web through ISA Server.
Cause: This is caused by incorrect or missing settings, including: network definitions, network rules, access rules, or client configuration.
Solution: Troubleshoot this issue as follows:

• Check the definition of the perimeter network. Ensure that the perimeter network does not contain IP addresses that are defined in other networks.
• Verify that network rules are configured correctly. A typical configuration would be a NAT relationship between the perimeter network and the External network, and a route relationship between the perimeter network and the Internal network. For more information about configuring network rules, see Best Practices for Configuring Networks in ISA Server 2004 at the ISA Server Configuration and Administration Web site.
• Check that access rules allowing traffic are correctly defined.

You can apply the 3-Leg Perimeter network template to configure network rules and firewall policy that typically correspond with a perimeter scenario, and then modify them as required. Note that when you apply a network template, any access rules you have defined will be overwritten. For more information, see the topic 3-Leg Perimeter network template in ISA Server online Help.


No Access for VPN Clients from a Custom External Network
Problem: To allow access from only a narrow range of IP addresses, a custom External network was defined. Now users from that External network cannot use a virtual private network (VPN) to access ISA Server. Users from the predefined External network can use a VPN successfully.
Cause: Creating a custom External network for which ISA Server does not have an associated network adapter is not a valid configuration.
Solution: Do not create another External network. To limit access to certain Internet sites, define IP addresses as an address range and use these address range network objects as the rule destination in access rules. For a suggested solution, see Excluding Specific Addresses from VPN Source Networks in ISA Server 2004 at the Microsoft TechNet Web site.


Unable to Access Hosts on Defined Networks
Problem: You have ISA Server installed on a computer with two network adapters. Your infrastructure consists of four subnets connected by routers on the Internal network. You have created networks for each subnet, but traffic is not flowing between ISA Server and some of the networks.
Cause: All IP addresses behind an ISA Server network adapter are considered as part of the same network. So even if you have routed subnets, ISA Server treats them as a single network. You should only create ISA Server networks for interfaces connected to ISA Server. (The only exception to this is networks representing remote VPN sites.)
Solution: Remove the network objects you have defined for any routed subnets. Add the IP address ranges for these subnets into the Internal network definition. If you require access rules to control traffic between the Internal network and these remote subnets, create a subnet network object and use this as an access rule element. You can create network objects on the Toolbox tab of the Firewall Policy node in ISA Server Management. The other alternative is to add additional network adapters to the ISA Server computer.


No Traffic Flowing Through the VPN Tunnel
Problem: The Layer Two Tunneling Protocol (L2TP) connection is connected, but no traffic is flowing through the VPN tunnel.
Cause: There may be overlapping static routes.
Solution: Check the following:

• Check that static routes are configured correctly in the routing table.
• Check the remote network configuration. The IP address range of the remote VPN site network should not overlap with ISA Server network definitions.
• Check the relationship between VPN sites. When two-way communication is required between VPN networks, establish a route relationship, because a NAT relationship is one way. However, you can enable communications by defining a route relationship on one of the VPN networks and a NAT relationship on the other. If computers communicating across the networks have public IP addresses, a route relationship can be created without concern about address duplication, because public IP addresses are unique. Where computers have private IP addresses, there is a risk of duplicate addresses.
• Check that access rules controlling traffic to and from the remote network are configured as required.

For more information about configuring site-to-site VPN connections, see Site-to-Site VPN in ISA Server 2004 at the Microsoft TechNet Web site.


Perimeter Network Configuration Not Working as Expected with Two Network Adapters
Problem: You have created a perimeter network, but clients in the perimeter network cannot communicate as expected.
Cause: Only two network adapters are installed on the ISA Server computer. ISA Server requires a separate physical interface for each network. You cannot split the external network adapter address range between the perimeter and External network.
Solution: Add another network adapter to the computer so that each ISA Server network only maps to a single network adapter

[patris1]

کد:

http://technet.microsoft.com/de-de/library/cc302676%28en-us%29.aspx

This document provides general guidelines for configuring network infrastructure and using network objects in Microsoft Internet Security and Acceleration (ISA) Server 2004.
ISA Server 2004 uses a multi-networking model to control how traffic flows between networks internal to your organization, and between internal and external networks. You create access rules to determine how clients on a source network can access resources on a destination network. When you create rules, you specify a network object as the source and destination of the rule.
To allow communication between networks, the following process is required:

• Create network objects. Create network objects to match your organization’s network infrastructure, or modify predefined network objects created by ISA Server. For more information, see Creating Network Objects later in this document.
• Configure network properties. Networks are network objects that typically correspond to your physical network layout. Configure properties of networks to determine how the network handles traffic, and supports client requests. For more information, see Configuring Network Properties later in this document.
• Create network rules. Create network rules to configure how traffic is passed between network objects. ISA Server checks network rules to determine whether source and destination networks can connect, and if so, whether traffic between the network objects should have a network address translation (NAT) or route relationship. For more information, see Creating Network Rules later in this document.
• Create access rules. Create a firewall policy by means of access rules or Web proxy routing rules, to expose communications between networks to stateful filtering and application layer traffic inspection. Use network objects to specify a source network and destination network for the rule. For more information, see Using Network Objects in Access Rules later in this document.

Creating Network Objects
There are a number of different types of network objects available for use in rules, including:

• Networks. Networks typically correspond to a physical network. Networks represent one or more Internet Protocol (IP) address range or ranges that can be reached from one of the network adapters on the ISA Server computer. For more information about the predefined networks that ISA Server defines, see Predefined ISA Server Networks later in this document.
• Network sets. A network set is a group of networks. After installation, there are two predefined network sets: All Networks and All Protected Networks (containing all ISA Server networks except the External network).
• Computers. A Computer object allows you to specify a single computer address as a source or destination in policy rules. This is useful where granular control is required to allow communications to or from a single computer.
• Address ranges. An address range is a collection of contiguous IP addresses to which you want to apply rules.
• Subnets. A subnet represents a group of computers located on the same subnet.
• Computer sets. A computer set is a collection of computers, IP address ranges, or subnets. Following installation, there are a number of predefined computer sets, including Anywhere, which includes all IP address ranges.
• URL sets. A URL set is a collection of one or more Uniform Resource Locators (URLs). Use for granular control to specify what Web site URL users can access through ISA Server. URL sets are only used with Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP) requests, with some limited support for Secure HTTP (HTTPS). For more information, see Using URL and Domain Name Sets in ISA Server 2004 at the Microsoft TechNet Web site.
• Domain name sets. A collection of one or more domain names. They are similar to URL sets, except that domain name sets are relevant for all protocols.

Applying Network Templates

Although you can create networks manually, to get started creating networks and creating basic network and access rules, we recommend that you use predefined ISA Server network templates. These are provided for the most common network configurations, including deploying ISA Server as an edge firewall, a front firewall, a back firewall, a three-leg perimeter, or as a firewall with a single network adapter. When you run the Network Template Wizard to apply one of these templates, you define network IP addresses, and then select a basic firewall policy that corresponds to the template. To run the Network Template Wizard, in ISA Server Management, expand the Configuration node, and then click the Networks node. On the Templates tab, select the template you want to configure, as shown in the following figure. For more information about network templates, see Network Templates later in this document.
Caution: Applying a new template deletes all existing rules, with the exception of the predefined system policy rules. Back up your current configuration before applying a template. When you run the Network Template Wizard, you have the opportunity to save your current configuration before applying a new template.


Detecting Spoofed Traffic

The ISA Server network model incorporates spoof detection to decide whether source and destination IP addresses are valid. Every time a network adapter receives a packet, ISA Server checks whether the packet is spoofed. ISA Server checks packet validity against the properties of the network associated with the adapter, and the Microsoft Windows Server 2003 or Windows 2000 Server routing table. A packet is considered spoofed (and therefore dropped) if one of the following is true:

• The packet contains a source IP address that (according to the routing table) is not reachable through any network adapter associated with the network.
• The packet contains a source IP address that does not belong to the address range of a network (array network for Enterprise Edition) associated with a network adapter.

Guidelines for Creating Networks

Use the following guidelines when creating networks:

• ISA Server supports unlimited network adapters in accordance with hardware limitations.
• A network adapter can only be associated with one ISA Server network.
• An adapter may have zero or more addresses. Each address can only belong to one network (be associated with exactly one network adapter). There should be no overlap of address ranges on a network.
• Do not use dynamic addresses on ISA Server network adapters, except for the adapter associated with the External network.
• ISA Server does not support multiple external network interfaces.
• The ISA Server computer must have at least one network adapter configured and enabled (for communication with the Internal network). An ISA Server computer with only one network adapter should be configured with the Single Network Adapter template. In such a scenario, ISA Server recognizes only the Internal network. For more information about this scenario, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the Microsoft TechNet Web site.
• When you add a new adapter and assign it a new IP address that is not present on any other ISA Server network, configure a new network object for that adapter. You can run a new network template after a change in network adapter configuration. For example, if you add a new adapter to a computer with a single adapter, you can select an alternative template such as the Edge Firewall template, the Back Firewall template, or the Front Firewall template. Remember that selecting a new template will overwrite existing access rules, and you should back up your current configuration settings before running the Network Template Wizard.
• To create a custom Internal or perimeter network, you must have an adapter installed to associate with the new network. For example, if you have an ISA Server computer with two network adapters, one connected to the Internet, and the other to the Internal network, you will need a third network adapter to define a perimeter network.
• All IP addresses that can be reached directly from a network adapter must be defined as part of the same ISA Server network. All addresses behind a specific adapter must be included in the network object associated with that adapter. Ensure the following to make sure remote subnets reachable by ISA Server through a router are correctly configured and that traffic will not be considered as spoofed:
  
  • Do not create networks for remote subnets physically connected to a local ISA Server subnet.
  • Be sure that remote subnets are added correctly to the network definition
  • Verify that the network’s IP address range matches the routing table, and that persistent static routes are defined in the routing table for each remote subnet.
  • Any IP address that is not contained in ISA Server protected networks is considered part of the External network. ISA Server protected networks are included in the All Protected Networks network set configured by default after ISA Server installation. This network set contains all ISA Server networks except the External network. After installation, there are two predefined network sets: All Networks and All Protected Networks (containing all ISA Server networks except the External network).
  • Because only communication between different networks should traverse ISA Server, you cannot use a network when specifying source or destination in an access rule controlling communication between two hosts in the same network. Instead, you can use other network objects, such as computers, subnets, and address ranges to control traffic between these hosts. Where appropriate, you can also use direct access for such host-to-host communications to ensure that requests between internal clients are not looped back through the ISA Server computer.
  
  

Example

The following figure shows how remote subnets should be configured.

In the preceding figure, note the following:

• The 192.168.1.0, 192.168.2.0, and 192.168.3.0 subnets are accessible to ISA Server through routers, and the Windows routing table should reflect this configuration.
• The internal network object must include all of the subnets. You cannot create a network for each subnet, because ISA Server will look at the properties of each network and attempt to find an adapter to associate with each network. This will fail because there is no such network adapter for each network, and ISA Server assumes that the adapter is either physically disconnected or disabled, and treats the network as disconnected.
• To ensure that the ISA Server network configuration matches the physical networks and the routing table, configure the Internal network properties to include address ranges of all subnets. In addition, ensure that the routing table is correctly configured. To do this, use the route add command with the -p switch to add a persistent static route for each remote subnet. This is the subnet that is not directly connected, in this case, 192.168.2.0 and 192.168.3.0. The default gateway for these routes would be the router IP address that interfaces with the same network as the ISA Server internal network adapter.
• SecureNAT clients on the remote subnets should have their default gateway set to the IP address of the router connected to the Internal network. Firewall clients and Web Proxy clients should use the address of the ISA Server internal network adapter.

Configuring Network Properties
The ISA Server predefined networks and custom networks you create have properties associated with them. These properties specify the IP address ranges associated with the network, how Firewall clients access resources in the network, how Web Proxy client requests are handled, and whether automatic discovery is configured for the network. For example, for the ISA Server predefined Internal network, you can use the following tabs (shown in the following figures) to set properties:

• Addresses. On this tab, specify the IP address ranges to include in the network.
  
  Note: In ISA Server 2004 Enterprise Edition, you can add multiple enterprise networks into the addresses of an array-level network. This is useful to ensure that IP addresses are not considered as spoofed. IP addresses that belong to an enterprise network but do not belong to any array-level network are considered to be part of a residual address range and will be treated as spoofed addresses and dropped.
• Domains. On this tab, specify a list of internal network domains for direct access. When Firewall clients connect to a domain specified in this list, the request bypasses the Firewall client configuration. This enables such clients to connect directly to servers in the local network without looping back through ISA Server. Firewall client computers configured as Web Proxy clients can use this list to bypass Web proxy when connecting to specific external sites, connecting instead as Firewall clients or SecureNAT clients. This setting is enabled when Directly access computers specified in the Domains tab is enabled on the Web Browser tab.
  
• Web Browser. On this tab, specify how Web browsers configured to use the automatic configuration script should behave. For more information about the automatic configuration script, see Automatic Discovery for Firewall and Web Proxy Clients at the Microsoft TechNet Web site. Select as follows:
  
  • Select Bypass proxy for Web servers in this network to specify that Web Proxy clients should connect directly to Web servers in their local network.
  • Select Directly access computers specified in the Domains tab to allow Web Proxy clients to access domains listed on the Domains tab directly, bypassing the Web proxy. You can specify a list for direct access.
  • Select Direct access to specify that Web Proxy clients should access sites using SecureNAT or Firewall client configuration if Web proxy is not available.
  • Select Alternative ISA Server to specify an alternative Web proxy.
  
  
  
• Auto Discovery. On this tab, specify the port number on which the network adapter should listen for Web Proxy Automatic Discovery (WPAD) and Winsock Proxy Autodetect (WSPAD) requests. By default, ISA Server publishes automatic discovery information on port 8080. For Dynamic Host Configuration Protocol (DHCP) discovery, you can specify any port. For Domain Name System (DNS), you must publish on port 80. For detailed information about configuring automatic discovery, see Automatic Discovery for Firewall and Web Proxy Clients at the Microsoft TechNet Web site. For more information about the WPAD protocol, see Web Proxy Auto-Discovery Protocol.
  
• Firewall Client. On this tab, enable this network to listen for requests from Firewall clients, and configure Web browser settings on Firewall client computers. Specify that Firewall clients should use automatic detection to find an ISA Server computer and an automatic configuration script.
  
• Web Proxy. On this tab, specify that the network will listen for HTTP requests from the Web proxy. You can configure authentication methods for such requests. Note that although you can select Secure Sockets Layer (SSL), Web Proxy client browsers cannot connect to the listener over an SSL connection. This is a browser limitation. Internet Explorer does not support certificate authentication to a Web proxy. This option is only for use in a Web proxy chaining scenario. In this case, you can configure a downstream ISA Server to forward Web requests to an upstream proxy over SSL.
  
• CARP. This tab appears in ISA Server 2004 Enterprise Edition only. On this tab, enable Cache Array Routing Protocol (CARP) for a specific network. When you enable CARP, the cache drives on all array servers are treated as a single logical cache drive so that caching is efficiently distributed among the member servers. For more information about CARP, see How CARP works in ISA Server online Help.
  
• NLB. This tab appears in ISA Server 2004 Enterprise Edition only. On this tab, enable Network Loading Balancing (NLB) on the network, and specify a virtual IP address and mask to use. When a virtual IP address is configured for a network, ISA Server adds the specified IP address to a network adapter on each server, and updates the routing table for the network adapter accordingly. The combination of the virtual IP address and mask must yield the same subnet as the combination of the IP address and mask of the adapter associated with the network. The virtual IP address must belong to the network. For more information about NLB, see Network Load Balancing in ISA Server 2004 Enterprise Edition at the Microsoft TechNet Web site.
  
  Note: You can specify Web Proxy properties (and CARP properties in ISA Server 2004 Enterprise Edition) on the predefined Local Host network. This configures the Web Proxy listener for use by applications running on the ISA Server computer.

Creating Network Rules
To allow communication between networks objects, you must define network rules. Network rules define whether traffic is allowed between network objects, and the type of relationship that should be applied to traffic flowing between source and destination network objects. To create network rules, in ISA Server Management, expand the Configuration node, and then click the Networks node, as shown in the following figure.

There are two choices available when defining the relationship between networks:

• Network address translation (NAT). You will usually use a NAT relationship for communication between trusted and untrusted networks. When a NAT relationship is enabled, the IP address of the request from the source network is replaced with the IP address of the adapter on the ISA Server computer that is connected to the destination network. For example, if you create a NAT relationship between the Internal network and the External network, the source IP address of a request from the Internal network will be replaced with the IP address of the ISA Server network adapter connected to the External network. For more information about NAT, see What is NAT in the Windows Server 2003 documentation on at the Microsoft TechNet Web site.
• Route. Use a route relationship where a more transparent communication is acceptable, and IP addresses do not need to be hidden between networks. This is a common configuration between two networks with public IP addresses, or between two networks with private addresses.

Guidelines for Creating Network Rules

Use the following guidelines when creating network rules:

• A NAT relationship is unidirectional. For example, if you create a NAT relationship from the Internal network to the perimeter network, traffic returned from the perimeter network to the Internal network is not translated. You cannot use access rules to control traffic from the network that does not have NAT applied to the network that does have NAT applied. To use access rules, networks must have knowledge of IP addresses in the other network. In this example, the Internal network is aware of addresses in the perimeter network, but clients in the perimeter network are not aware of addresses in the Internal network because NAT is applied. Instead, you would use Web publishing rules or server publishing rules to allow traffic from the perimeter network to the Internal network.
• A route relationship is bidirectional. Defining a network rule with a route relationship between the Internal network and the perimeter network implicitly defines the same relationship from the perimeter network to the Internal network. You can use access rules, Web publishing rules, or server publishing rules to control traffic between networks linked with a route relationship.
• Network rules are evaluated according to the order in which they appear in the network rules list. ISA Server evaluates traffic against the ordered network rules. ISA Server takes the first rule that applies to the specific traffic, and no further network rules are evaluated.
• Route and NAT relationships are subject to stateful filtering and application layer inspection.
• In some circumstances, protocol requirements may mean that traffic will need a route relationship instead of applying NAT, because there are protocols and applications that do not work through NAT.

Using Network Objects in Access Rules

After defining networks and network relationships, you can use them to specify source and destination in firewall policy rules. Use the following guidelines when creating rules:

• ISA Server recognizes all addresses behind a specific network adapter as belonging to the same network. This includes any routed subnets on the network. With this design, you cannot use networks as a source or destination for access rules controlling traffic between hosts in the same network, because ISA Server will consider both source and destination as identical. Instead, you can define hosts in other network objects such as subnets, computers, and address ranges, and use those objects in access rules.
• When you create access rules allowing Web access, note that Web requests from clients protected by ISA Server going through Web Proxy Filter are always subject to address translation, even if there is a route relationship between the source and destination network objects in the rule. The only way around this is to disable Web Proxy Filter for the client protocol being used. For more information about scenarios where this might be an issue, see Troubleshooting Web Proxy Traffic in ISA Server 2004 at the Microsoft TechNet Web site.

Additional Information
This section provides a description of predefined ISA Server networks, a description of network templates, and a link for additional resources.
Predefined ISA Server Networks

The following table describes predefined ISA Server networks.


Network Properties Details Local Host
Includes all IP addresses on all ISA Server network adapters. You do not need to explicitly define IP addresses on this network, because addresses are automatically added to this network when they are added to ISA Server adapters.
Cannot modify or delete.
Internal
Represents the primary default protected network. By default following installation, ISA Server protects resources on the Internal network from all other networks except the Local Host network (the ISA Server computer). It is generally considered to contain trusted IP addresses. During installation, you specify an IP address range or select an adapter to add network adapter IP addresses to the Internal network. Following installation, you can create access rules to allow traffic from the default Internal network to access other networks, and publishing rules to allow external servers to access servers located on the Internal network.
Cannot delete. Can be modified.
External
Includes all IP addresses not associated with any other network. Generally, represents the Internet.
Cannot directly modify or delete. Note that the definition of this network will change as other networks are defined, because it includes all IP addresses not associated with any other network.
VPN Clients
Includes IP addresses of currently connected remote virtual private network (VPN) clients. The VPN Clients network and the Quarantined VPN Clients network are dynamically assigned in accordance with the IP addresses allocated to remote VPN clients at a specific time.
Cannot delete. Can be modified.
Quarantined VPN Clients
Includes IP addresses of remote VPN clients currently held in quarantine.
Cannot delete. Can be modified.

Network Templates

ISA Server provides the following predefined network templates that you can apply:

• Edge Firewall template. Sets up the basic configuration for deploying ISA Server at the edge of your network. You should have at least two network adapters available when applying this template, an internal adapter and an external adapter. The following network configuration will be applied:
  
  • A network rule that specifies a route relationship between the Internal network and the VPN Clients network.
  • The default Internal network IP address ranges that you specified during Setup.
  
  
• 3-Leg Perimeter template. Sets up ISA Server with three or more network adapters, for the Internal network, the External network, and additional adapters for perimeter networks. After running this template, the following configuration will be applied:
  
  • A new network object, Perimeter.
  • A network rule, Perimeter Access, that specifies a route relationship between a perimeter network and the External network.
  • A network rule, Perimeter Configuration, that specifies a NAT relationship between the Internal network and the perimeter network, and the VPN Clients network and the perimeter network.
  
  
• Front Firewall template. Sets up ISA Server in front of another firewall. It assumes that the network behind ISA Server is a perimeter network. The following network configuration will be applied:
  
  • No Internal network defined, instead a new network, Perimeter.
  • A network rule, Perimeter Access, that specifies a route relationship between the perimeter network and the External network, and the VPN Clients network and the External network.
  
  
• Back Firewall template. Sets up ISA Server between a perimeter network and the Internal network, with another firewall configured at the front end, possibly between the perimeter network and the External network. The following network configuration will be applied:
  
  • A network rule that specifies a route relationship between the Internal network and the VPN Clients network.
  • A network rule that specifies a NAT relationship between the Internal network and the External network, and the VPN Clients network and the External network.
  
  

You can choose from a number of predefined firewall policies available for each network template. For more information, see information about each template in the topic Network Templates in ISA Server online Help.

Resources

Additional ISA Server 2004 documents are available at the ISA Server 2004 Guidance page.