• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

IP Routing problem

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> IP Routing problem Page: [1]
Login
Message << Older Topic   Newer Topic >>
IP Routing problem - 16.Oct.2006 3:25:08 AM   
vankampenp

 

Posts: 40
Joined: 29.Jun.2004
From: Netherlands
Status: offline
Lately, I have been having several problems.
a) Certain HTTPs sites were only accessible when configuring the ISA server as proxy
b) MSN Messenger did not connect

About a) I noticed that the routing of the return packages were denied by ISA Server when not using ISA server as a proxy.

I now switched off "IP Routing", and the mentioned problems are now solved.
Post #: 1
RE: IP Routing problem - 17.Oct.2006 7:59:11 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Vankamp,

Are you seeing a performance hit by disabling IP Routing?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to vankampenp)
Post #: 2
RE: IP Routing problem - 17.Oct.2006 9:26:54 AM   
vankampenp

 

Posts: 40
Joined: 29.Jun.2004
From: Netherlands
Status: offline
Not really, but it is a few small community web sites, so the system is far over dimensioned, so I did not expect to see a difference.

I had enabled IP routing, because the IP Routing tab in "Configure IP protection" says: "IP Routing allows ISA Server to route IP packets in kernel mode and improve performance." However, the help text says

Important
  • Although IP routing improves performance, disabling IP routing is considered more secure. When IP routing is disabled, ISA Server sends only the data (and not the entire packet) to the destination.


There seems to be a problem (at least on my server) with https travel when using IP routing as mentioned in http://forums.isaserver.org/m_2002014255/mpage_1/key_/tm.htm#2002014255.
When sending https traffic to some sites, these try to respond directly to a port on the sending PC, rather than a port on the ISA server. Naturaly this traffic is denied:

Client IP     Source  Destination        Prot  Action   
192.168.0.120 3017    145.72.84.9 443    HTTPS Initiated Connection 
145.72.84.9   443     192.168.0.120 3017 Unid IP Traffic Denied Connection 


When IP Routing is disabled, I get the following log:

Client IP     Source  Destination     Prot  Action   
192.168.0.120 3141    145.72.84.9 443 HTTPS Initiated Connection 
192.168.0.120 3142    145.72.84.9 443 HTTPS Initiated Connection 


Kind regards

Pieter

< Message edited by vankampenp -- 17.Oct.2006 9:37:41 AM >

(in reply to tshinder)
Post #: 3
RE: IP Routing problem - 18.Oct.2006 7:00:17 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Pieter,

Very interesting. I've never seen this before, but will keep my eye out for it.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to vankampenp)
Post #: 4
RE: IP Routing problem - 18.Oct.2006 9:38:20 AM   
vankampenp

 

Posts: 40
Joined: 29.Jun.2004
From: Netherlands
Status: offline
One last remark, the error only occurs when I configure IE to NOT use a proxy server. If IE is using ISA Server as a proxy server, the routing does not originate from inside the Internal network, but directly from local host.

You (Tom) are mostly using the firewall client, so I assume you will not see this.

Pieter

(in reply to tshinder)
Post #: 5
RE: IP Routing problem - 19.Oct.2006 11:19:46 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Pieter,

I always configure my clients as both Web proxy and Firewall clients, because the Web proxy has better performance for Web connections.

Though for problematic sites, I configure them for Direct Access, so that the Web proxy configuration is bypassed.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to vankampenp)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> IP Routing problem Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts