Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Clients cannot use a remote ISA Server 2004-based computer for a Web proxy over an ISA Server 2004 site-to-site VPN connection


View products that this article applies to.

Symptoms

Consider the following scenario: You have a head office site and a branch office site, with a Microsoft Internet Security and Acceleration (ISA) Server 2004-based computer in each site. The sites are connected by an ISA Server 2004 site-to-site virtual private network (VPN). The VPN tunnel uses Point-to-Point Tunneling Protocol (PPTP).

You want the clients that are behind the ISA Server 2004 computer in the branch office site to use the ISA Server 2004-based computer in the head office as their Web proxy server. Therefore, the proxy requests would travel through the VPN tunnel to the ISA Server computer that is located in the head office, and then travel out to the Internet. You may want to do this because of cost considerations if Internet access is less expensive from the head office site, or if you want to monitor Internet usage from a single location.

If you try to set up this scenario, it does not work correctly. Clients in the branch office cannot access the Internet if Microsoft Internet Explorer is configured to use the ISA Server 2004-based computer in the head office as the Web proxy server. If you perform a Network Monitor trace, the trace output shows a three-way handshake over the VPN interface from a client in the branch office site to the ISA Server 2004-based computer in the head office site. However, when the client sends the GET requests, the ISA Server 2004-based computer in the head office site prematurely ends the session with a Transmission Control Protocol (TCP) reset packet.

↑ Back to the top


Cause

This problem occurs because in this scenario, where the requests from the client come from the tunnel interface and not the internal network adaptor, ISA Server 2004 network address translation (NAT) does not handle the VPN tunnel interface correctly.

↑ Back to the top


Workaround

To work around this problem, follow these steps:
1.Install a caching-only Web proxy server in the head office site.
2.Configure the ISA Server clients in the branch office site to use the caching-only server in the head office site for their Web proxy server.
Note You can configure the caching-only server to chain upstream to your main head office ISA Server 2004-based computer. This takes advantage of the cache that the main ISA Server 2004-based computer already contains. For more information about how to configure Web chaining rules, view the "Web chaining rules" topic in ISA Server 2004 Help.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


Keywords: KB891195, kbisaserv2004stdsp1fix, kbpending, kbfirewall, kbbug, kbtshoot

↑ Back to the top

Article Info
Article ID : 891195
Revision : 3
Created on : 3/17/2005
Published on : 3/17/2005
Exists online : False
Views : 326