Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
IP Routing problem
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
IP Routing problem - 16.Oct.2006 3:25:08 AM
|
|
|
vankampenp
Posts: 40
Joined: 29.Jun.2004
From: Netherlands
Status: offline
|
Lately, I have been having several problems.
a) Certain HTTPs sites were only accessible when configuring the ISA server as proxy
b) MSN Messenger did not connect
About a) I noticed that the routing of the return packages were denied by ISA Server when not using ISA server as a proxy.
I now switched off "IP Routing", and the mentioned problems are now solved.
|
|
|
|
|
RE: IP Routing problem - 17.Oct.2006 9:26:54 AM
|
|
|
vankampenp
Posts: 40
Joined: 29.Jun.2004
From: Netherlands
Status: offline
|
Not really, but it is a few small community web sites, so the system is far over dimensioned, so I did not expect to see a difference.
I had enabled IP routing, because the IP Routing tab in "Configure IP protection" says: "IP Routing allows ISA Server to route IP packets in kernel mode and improve performance." However, the help text says
Important
- Although IP routing improves performance, disabling IP routing is considered more secure. When IP routing is disabled, ISA Server sends only the data (and not the entire packet) to the destination.
There seems to be a problem (at least on my server) with https travel when using IP routing as mentioned in http://forums.isaserver.org/m_2002014255/mpage_1/key_/tm.htm#2002014255.
When sending https traffic to some sites, these try to respond directly to a port on the sending PC, rather than a port on the ISA server. Naturaly this traffic is denied:
Client IP Source Destination Prot Action
192.168.0.120 3017 145.72.84.9 443 HTTPS Initiated Connection
145.72.84.9 443 192.168.0.120 3017 Unid IP Traffic Denied Connection
When IP Routing is disabled, I get the following log:
Client IP Source Destination Prot Action
192.168.0.120 3141 145.72.84.9 443 HTTPS Initiated Connection
192.168.0.120 3142 145.72.84.9 443 HTTPS Initiated Connection
Kind regards
Pieter
< Message edited by vankampenp -- 17.Oct.2006 9:37:41 AM >
|
|
|
|
|
RE: IP Routing problem - 18.Oct.2006 9:38:20 AM
|
|
|
vankampenp
Posts: 40
Joined: 29.Jun.2004
From: Netherlands
Status: offline
|
One last remark, the error only occurs when I configure IE to NOT use a proxy server. If IE is using ISA Server as a proxy server, the routing does not originate from inside the Internal network, but directly from local host.
You (Tom) are mostly using the firewall client, so I assume you will not see this.
Pieter
|
|
|
|
|
RE: IP Routing problem - 19.Oct.2006 11:19:46 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Pieter,
I always configure my clients as both Web proxy and Firewall clients, because the Web proxy has better performance for Web connections.
Though for problematic sites, I configure them for Direct Access, so that the Web proxy configuration is bypassed.
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
