Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

An IPSec policy is not applied to internal translated network traffic when you use ISA Server 2004


View products that this article applies to.

Symptoms

When you use Microsoft Internet Security and Acceleration (ISA) Server 2004 to perform network address translation (NAT), an Internet Protocol security (IPSec) policy that is set through Group Policy is not applied to traffic after the traffic is translated. For example, IPSec policy is not applied in the following scenario:
1.There is an IPSec policy defined for traffic between an internal host and the ISA Server 2004-based computer that is performing NAT.
2. Traffic from an external host or a virtual private network (VPN) client is received by the ISA Server 2004-based computer, and is then translated by using NAT before it is sent to the internal host.
In this scenario, the traffic that is sent from the ISA Server 2004-based computer to the internal host has no IPSec encapsulation.

↑ Back to the top


Cause

This issue occurs if all the following conditions are true:
Your ISA Server 2004-based computer is configured to perform NAT.
The IPSec policy applies to internal traffic.
IP routing is enabled on your ISA Server 2004-based computer. Therefore, connections through ISA Server 2004 are subject to the kernel mode data pump process.
In this scenario, because of the underlying architecture of IPSec and of network address translation, the translated traffic is not processed by the IPSec driver.

↑ Back to the top


Workaround

To work around this issue, disable IP routing on your ISA Server 2004-based computer. To disable IP routing, follow these steps:

Note If you disable IP routing, ISA Server 2004 performance may decrease.
1.Start the ISA Server Management tool. To do this, click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. Expand your ISA Server 2004-based computer name, expand Configuration, and then click General.
3.Under Additional Security Policy, click Define IP Preferences.
4.Click the IP Routing tab.
5.Click to clear the Enable IP routing check box, click Apply, and then click OK.
6.Click Apply to save your changes and to update the configuration.

↑ Back to the top


Keywords: KB886995, kbprb, kbfirewall, kbtshoot

↑ Back to the top

Article Info
Article ID : 886995
Revision : 1
Created on : 11/7/2004
Published on : 11/7/2004
Exists online : False
Views : 292