Network Load Balancing in ISA Server 2004 Enterprise Edition

Microsoft® Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition introduces a multi-networking model, which allows you to configure how policy should be applied between multiple networks. With this multi-networking model, ISA Server integrates Network Load Balancing (NLB) functionality, so that you can balance the load across all the array members on one or more networks.

You can use ISA Server to configure and manage the NLB functionality of Microsoft Windows Server™ 2003 running on ISA Server arrays. When you configure NLB through ISA Server, NLB is integrated with ISA Server functionality. This provides important functionality that is not available in Windows NLB alone.

In addition, ISA Server monitors NLB configuration, and discontinues NLB on a particular computer as necessitated by its status. This prevents the continued functioning of NLB when the state of the computer does not allow the passage of traffic. For example, if there is a failure of the network adapter on the computer, or if you stop the Microsoft Firewall service, ISA Server stops NLB-directed traffic from passing through that computer. When the issue is resolved, ISA Server will again allow traffic to pass through that computer.

ISA Server NLB is based on the NLB features of Windows Server 2003. Follow the Windows Server 2003 capacity guidelines when deploying NLB for ISA Server. For more information, see Capacity Planning, at the Windows Server System Web site (https://www.microsoft.com).

ISA Server works with Windows NLB to automatically configure bidirectional affinity, and does so for multiple networks. This guarantees that traffic is handled in both directions by the same array server.

Note

For arrays with more than one member, and with more than one network adapter on each array member, you can configure ISA Server 2004 to work in integrated NLB mode. Alternatively, if integrated NLB mode is disabled, NLB can be configured for the operating system. In this mode, you have none of the specific benefits of ISA Server load balancing.

NLB Integration

NLB Deployment

Appendix A: Procedures

Additional Information

Benefits of Network Load Balancing

NLB provides high availability and scalability of servers using a cluster of up to 31 host computers working together. Clients access the cluster using either an Internet Protocol (IP) address or a set of addresses. The clients are unable to distinguish the cluster from a single server. Server applications do not identify that they are running in a cluster. However, an NLB cluster differs significantly from a single host running a single server application because it can provide uninterrupted service even if a cluster host fails. The cluster can also respond more quickly to client requests than a single host.

NLB delivers high availability by redirecting incoming network traffic to working cluster hosts if a host fails or is offline. Existing connections to an offline host are lost, but the services remain available. In most cases, client software automatically retries the failed connections, and the clients experience a delay of only a few seconds in receiving a response.

NLB delivers scaled performance by distributing the incoming network traffic among one or more virtual IP addresses (the cluster IP addresses) assigned to the NLB cluster. The hosts in the cluster then concurrently respond to different client requests.

NLB employs a fully distributed algorithm to statistically map incoming clients to the cluster hosts based on their IP address. When inspecting an arriving packet, all hosts simultaneously perform this mapping to quickly determine which host should handle the packet. Although the mapping changes when the number of hosts changes, NLB continues to maintain the existing TCP connection.

NLB also maintains existing Point-to-Point Tunneling Protocol (PPTP) and Internet Protocol security (IPsec) tunnel connections. This implies that in virtual private network (VPN) scenarios, even if the mapping changes when the number of hosts changes, NLB will continue to maintain the tunnel.

ISA Server integrates the benefits of NLB into the product. When integrated NLB is enabled, each network in an array can be configured as an NLB cluster. The NLB algorithm is applied to the network, so that the load is balanced across the NLB-enabled network. Because NLB is enabled per network, the array administrator can configure, depending on functionality, how a specific network is load balanced, depending on the deployment scenario.

Intra-Array Communication

When you use ISA Server integrated NLB, each computer running ISA Server services requires an additional network adapter, for intra-array communication. We recommend that these network adapters be physically connected to each other (for example, through a single switch), and not to other network segments, to ensure that they receive only intra-array communication. You should then configure intra-array communication to use the IP address of the new adapter on each server. The configuration procedures are described in the topic Configuring and Securing Intra-Array Communication in this document.

NLB Integration

Network Load Balancing (NLB) enables all cluster hosts on a single subnet to concurrently detect incoming network traffic for the cluster Internet Protocol (IP) addresses. On each cluster host, the NLB driver acts as a filter between the network adapter driver and the TCP/IP stack to distribute the traffic across the hosts. Microsoft Internet Security and Acceleration (ISA) Server 2004 takes over at this point, enabling NLB in complex deployment scenarios, including virtual private networking, Cache Array Routing Protocol (CARP), and Firewall Client.

By enabling integrated NLB mode on an array of ISA Server computers, you establish the framework for NLB configuration at the network level. ISA Server load balances traffic on a per-network basis. After you enable NLB on the specific networks that you want load balanced, ISA Server determines the adapter that will be used for that network. There is one adapter selected per network.

NLB Integration Modes

NLB configuration is enabled per array. Each array can be configured in one of these modes:

  • Integrated NLB. In this mode, you use ISA Server Management to configure NLB. This mode allows you to configure whether a specific network should be load balanced. In this mode, you have the benefits of integrated easy-to-manage configuration, array integrity maintenance, multi-networking, virtual private network (VPN) support, and troubleshooting information. NLB configuration for the following is supported: unicast mode and single affinity.
  • Non-integrated NLB. In this mode, you use the Windows-based NLB tools to configure NLB.

By default, NLB integration is not enabled when you install ISA Server. For instructions on enabling NLB integration, see Enabling NLB Integration in this document.

After NLB is enabled for the array, you can configure NLB on the array-level networks. You can enable NLB on any physical Ethernet network. Do not enable NLB on networks that are not physically connected to the array. Specifically, we recommend that you enable NLB on all networks physically connected to the array (except for the intra-array network). For instructions, see Enabling NLB for a Network in this document.

When you enable NLB on a network, you specify the virtual IP address for that network. For instructions, see Configuring a Virtual IP Address for a Network in this document.

ISA Server performs stateful inspection on all traffic. For this reason, ISA Server works with Windows NLB to ensure that incoming and outgoing traffic for each session is handled by the same array member. This is important, because this enables ISA Server to perform stateful inspection on the traffic.

NLB Deployment

Depending on the specific deployment scenario, Microsoft Internet Security and Acceleration (ISA) Server 2004 performs Network Load Balancing (NLB) differently.

NLB and Publishing

When you configure NLB for published servers, the network is load balanced according to the clients' addresses, rather than according to the server's address.

For example, suppose that you publish a server, which is located on an NLB-enabled network, to clients that are located on a different NLB-enabled network. When a client accesses the published server, the load is balanced according to the client's address, and not the server's address.

NLB and Remote Access VPN

When a remote access client initiates a VPN connection to an array, one of the array members establishes the VPN connection and allocates an Internet Protocol (IP) address for that client. From then on, all traffic for that remote client passes through that array member.

When using NLB, you should not create user-specific access rules for roaming VPN clients, that is, rules that allow access for a specific user. Because different ISA Server array computers may handle the connection to the client and the connection needed to service the request, the user’s credentials may not be forwarded, and the request will be denied. An exception to this is rules for Hypertext Transfer Protocol (HTTP), for which you can create user-specific access rules in an NLB scenario.

Configuration of remote access VPN connections is discussed in the document VPN Roaming Clients and Quarantine Control in ISA Server 2004 Enterprise Edition, at the ISA Server 2004 Guidance Web site (https://www.microsoft.com).

NLB and Site-to-Site VPN

When NLB is enabled on a remote site network, ISA Server automatically assigns one array member to handle the VPN tunnel. In this way, parallel tunnels between two sites are not created. The tunnel is re-created on another server if the assigned server fails for any reason.

Two arrays might communicate using site-to-site VPN tunnels. However, each site must know the dedicated IP address of the other site.

You can use the NLB functionality of ISA Server to configure and manage the NLB functionality of Windows Server 2003 running on ISA Server arrays.

In addition, the following is supported in integrated NLB mode, in a site-to-site VPN deployment:

  • Automatic routing of client requests to the array member that is hosting the VPN connection when the route destination (or default gateway) for these client requests is the virtual IP address.
  • If the server that owns a site-to-site VPN connection fails, ISA Server automatically shifts the connection to another ISA Server array member.

Be sure to consider the following requirements when configuring a VPN site-to-site network:

  • If you are using a multi-server ISA Server array, and plan on using NLB, you must use ISA Server integrated NLB. If you use Windows NLB, site-to site connectivity will not be supported.
  • If you are not using ISA Server to provide NLB functionality, you must configure your corporate routers to make sure that traffic from clients assigned to a particular pool of a particular computer running ISA Server services is routed back through that server. If you do configure NLB on the ISA Server array that provides the static addresses, the routing of client traffic is handled automatically by ISA Server. In this case, configure your routers to use the ISA Server array’s virtual IP address for all static routes.
  • When you use ISA Server integrated NLB, it selects a server for each site-to-site connection, and provides failover protection for that connection. When NLB is enabled, NLB must be configured on the External network for site-to-site connections to function properly. In addition, NLB should be enabled on each network with which the remote site network has a route relationship.
  • In a multi-server ISA Server array, where NLB is enabled, we recommend that you do not install the Configuration Storage server on one of the array members. When a Configuration Storage server is installed on an array member, and that array member does not handle the site-to-site connection, the remote site will lose connectivity with the Configuration Storage server. Install the Configuration Storage server on a separate computer behind the ISA Server array.

Configuration of site-to-site VPN connections is described in the document Site-to-Site VPN in ISA Server 2004 Enterprise Edition, at the ISA Server 2004 Guidance Web site (https://www.microsoft.com).

Connection Owner

When a site-to-site connection is established with an array of ISA Server computers, only one array member is actually the connection owner. The connection owner is the VPN tunnel endpoint.

When NLB is enabled, ISA Server automatically assigns the connection owner. No additional configuration is required. ISA Server uses an algorithm to optimize the connection owner assignment, creating as balanced a network as possible. After a tunnel has been established, the server assigned as the connection owner does not change, even if other servers are added or removed. If the assigned connection owner becomes unavailable, ISA Server automatically passes the connection to another array member. In this way, ISA Server supports failover for VPN site-to-site connections.

When NLB is not enabled, you must assign a connection owner for the remote site network. If the connection owner becomes unavailable, there will be no connectivity to the remote site.

NLB Configuration

After you enable NLB integration for one network on an array, we recommend that you configure and enable NLB for each network in the array, except the intra-array network. The intra-array network is used for communication between array members and should not be load balanced.

When you enable a network for NLB, you specify its virtual IP address. You can monitor NLB for each array member, draining or stopping NLB on a specific array member, as appropriate.

Virtual IP Addresses

When you configure NLB for a network, you must specify one virtual IP address for the network. With NLB integration enabled, ISA Server modifies both the network properties and the TCP/IP properties of the network adapter.

The array members in the NLB-enabled network respond concurrently to different client requests. Each network adapter on each array member has a dedicated IP address. The dedicated IP address is actually the original primary IP address on the network adapter of the NLB-enabled network. In integrated NLB mode, each network adapter must have its own dedicated IP address.

The dedicated IP address and the virtual IP address must belong to the same subnet and have the same subnet mask.

Multiple virtual IP addresses

Using ISA Server Management, you can configure one virtual IP address for each load-balanced network. In some scenarios, you might want to have multiple virtual IP addresses. For example, consider a mail publishing scenario, where you may want to configure one virtual IP address on the External network for one mail server and a second virtual IP address for an additional mail server. To configure multiple virtual IP addresses, use the Windows-based IP properties.

You should configure the virtual IP addresses only after fully configuring NLB for that network. Similarly, be sure to remove the virtual IP addresses before you subsequently disable NLB on that network. Otherwise, the IP addresses may conflict.

Note

Additional virtual IP addresses should not be the same as any of the dedicated IP addresses of the array members.

Configuring multiple virtual IP addresses

You can add (one or more) additional virtual IP addresses by adding a static IP address to all the network adapters in the array facing the same network, using the TCP/IP properties for the network adapters. While the first address for the network adapter is a dedicated IP address (and different for each network adapter), and the second is the virtual IP address (and the same for all the network adapters), any additional IP addresses are considered by NLB to be additional virtual IP addresses.

Bidirectional Affinity

ISA Server always enables bidirectional affinity. In some cases, single affinity does not provide sufficient functionality. For example, you can configure a server publishing rule that is publishing an internal server located behind an NLB cluster. In this scenario, NLB can be configured on both the external interface facing the Internet and the internal interface facing the published servers. Because the internal published servers are configured as SecureNAT clients, they must use the shared IP address for the NLB cluster as their default gateway. However, NLB has to ensure that the response from the published server is always routed to the same ISA Server computer that handled the request from the Internet client because this is the only ISA Server computer in the cluster that has the security context for that particular session. ISA Server enables this functionality by using bidirectional affinity.

ISA Server extends the concept of bidirectional affinity, enabling NLB between more than two networks. Consider, for example, a scenario with three NLB-enabled networks: Internal, perimeter, and External. Requests from Internal to perimeter will be handled by the same array member on both networks. If the request from the Internal network to the External network passes through the perimeter network, the request will also be handled by the same array member.

Cc302580.88bcba2e-0c47-4054-85c5-5d94def7896a(en-us,TechNet.10).gif

Host IDs

During installation, ISA Server assigns a persistent, unique host ID (in the range of 2–32) to each array member. This host ID is used to uniquely identify the server in storage, for NLB configuration.

The host ID value should not be changed, unless an alert is issued in Event Viewer indicating that a conflict has occurred in host ID assignment. In these circumstances, modify the host ID for a server as follows:

  1. In the console tree of ISA Server Management, expand the array node, expand Configuration, and then click Servers.

  2. In the details pane, right-click the required server, and then click Properties.

  3. In Host ID, click the drop-down list and select one of the unallocated host IDs.

  4. Click OK, and in the details pane of ISA Server Management, click Apply to apply the change.

    Note

    If the Microsoft Firewall service did not start, and you have modified the host ID to resolve a host ID conflict, manually restart the Firewall service after modifying the host ID and applying the change.

Unattended setup

If you run unattended setup, you can specify a HostID property. If no value is specified, a host ID is automatically assigned to the server.

If an invalid host ID value is specified in the .ini file during unattended setup, or there is a conflict in the automatically allocated host ID, Setup will complete but the Microsoft Firewall service will not start, and an alert will be generated. Check Event Viewer for more information.

Export/Import

In some export/import configurations, a host ID may be automatically generated during the export process. If this host ID causes a conflict during the import process, the import process will succeed but the Microsoft Firewall service will not start, and an alert will be generated. After the import, check Event Viewer for more information.

Configuring NLB When Joining a Server to an Array

When you set up ISA Server and join the server to an existing array, ISA Server enables NLB integration for this new array member if NLB is enabled for the entire array. However, you may not want the NLB service to start automatically when installation completes, for the following reasons:

  • You might want to review the new array member configuration before joining it to the NLB cluster. Thereafter, you can start the NLB service on that array member.
  • In some cases, existing client connections may be affected when a new array member joins the NLB cluster. For this reason, you might want to schedule starting NLB on the new array member only when there is relatively little network activity.

To ensure that ISA Server does not automatically start NLB on the new array member, create a batch file, looping execution of a single command nlb suspend. Run this batch file when you install the new array member.

When NLB is configured on the new array member (after Setup completes, and while the batch file is still running), the NLB status is Suspended. To join this array member to the NLB cluster, start the NLB service, as described in Starting or Stopping a Service in this document.

Stopping and Starting NLB

In integrated NLB mode, ISA Server checks that all the servers in the NLB cluster are fully operational and that the traffic can flow appropriately through the various networks. Further, in integrated NLB mode, ISA Server is responsible for ensuring either that all NLB clusters are operational or that no NLB clusters are operational.

If NLB is not functioning on one network on a server, ISA Server will stop NLB on all the networks on this server. When the server becomes available, ISA Server adds it back to the array. Specifically, ISA Server determines that an array member is available for NLB clustering when the following is true:

  • ISA Server computer is available.
  • Microsoft Firewall service is running.
  • NLB is running on all network adapters.
  • A network adapter can be assigned for each NLB-enabled network.
  • On each server, NLB is configured to start only when the Firewall service on that server is running.

In integrated NLB mode, NLB can have the following status:

  • Not configured. This status indicates that there are no NLB-enabled networks.
  • Configuring. This status indicates that ISA Server is currently configuring the array member.
  • Running. This status indicates that NLB is running on the specific array member server. The server will be subject to the NLB algorithm for load balancing.
  • Draining and Stopping. This status indicates that only active connections will be served by this array member. When load balancing all future connections to the array, this server will not be included in the NLB algorithm. Note that when you drain or stop an array member, the status will always indicate Draining and Stopping.
  • Stopped. This status indicates that no connections are served by this array member.
  • Stopped due to a local problem. This status indicates that ISA Server cannot configure NLB, either due to a misconfiguration, or due to an error that occurred when previously configuring NLB.
  • Stopped due to a VPN problem. This status indicates that NLB was stopped because Routing and Remote Access is not responding or because no address pool is configured for the array member.
  • Suspended. This status indicates that NLB is stopped and will remain stopped even if ISA Server or the ISA Server computer is restarted.

Appendix A: Procedures

This appendix includes the following procedures:

  • Configuring a Virtual IP Address for a Network
  • Enabling NLB Integration
  • Enabling NLB for a Network
  • Disabling NLB Integration
  • Draining NLB
  • Configuring and Securing Intra-Array Communication

Configuring a Virtual IP Address for a Network

To configure a virtual Internet Protocol (IP) address for a network, follow these steps:

  1. In the console tree of ISA Server Management, expand the array node, expand Configuration, and click Networks.

  2. In the details pane, click the Networks tab, and then click the applicable network.

  3. In the task pane, on the Tasks tab, click Edit Selected Network.

  4. On the NLB tab, in Virtual IP, type a virtual IP address to use for this network.

  5. In Mask, type the 32-bit value for the subnet mask of the specified virtual IP address.

    Note

    Network Load Balancing (NLB) cannot be configured for enterprise-level networks and for the following default array-level networks: Local Host, Quarantined VPN Clients, and VPN Clients.
    When a virtual IP address is configured for a network, ISA Server adds the specified IP address to a network adapter on each server, and updates the routing table for that network adapter accordingly.
    The combination of the virtual IP address and mask must yield the same subnet as the combination of the IP address and mask of the adapter in the network. The virtual IP address must belong to the network.

Enabling NLB Integration

To enable Network Load Balancing (NLB) integration, follow these steps:

  1. In the console tree of ISA Server Management, expand the array node, expand Configuration, and click Networks.

  2. In the details pane, click the Networks tab, and then click the applicable network.

  3. In the task pane, on the Tasks tab, click Enable Network Load Balancing Integration.

  4. Follow the on-screen instructions.

    Note

    NLB should be enabled for the External network only if the external network adapters of the ISA Server array are directly connected to the Internet, and not if they access the Internet through another network.
    When a virtual IP address is configured for a network, ISA Server adds the specified IP address to a network adapter on each server, and updates the routing table for that network adapter accordingly.
    The combination of the virtual IP address and mask must yield the same subnet as the combination of the IP address and mask of the adapter in the network. The virtual IP address must belong to the network.
    When you enable or disable integrated NLB mode, all array members must be restarted.

Enabling NLB for a Network

To enable Network Load Balancing (NLB) for a network, follow these steps:

  1. In the console tree of ISA Server Management, expand the array node, expand Configuration, and click Networks.

  2. In the details pane, click the Networks tab, and then click the applicable network.

  3. In the task pane, on the Tasks tab, click Edit Selected Network.

  4. On the NLB tab, select Enable load balancing on this network.

  5. In Virtual IP, type a virtual IP address to use for this network.

  6. In Mask, type the 32-bit value for the subnet mask of the specified virtual IP address.

    Note

    Integrated NLB mode must be enabled to configure NLB for a network. For instructions, see Enabling NLB Integration in this document.
    NLB cannot be configured for enterprise-level networks and for the following default array-level networks: Local Host, Quarantined VPN Clients, and VPN Clients.
    NLB should be enabled for the External network only if it is physically connected to the network.
    When a virtual IP address is configured for a network, ISA Server adds the specified IP address to a network adapter on each server, and updates the routing table for that network adapter accordingly.
    The combination of the virtual IP address and mask must yield the same subnet as the combination of the IP address and mask of the adapter in the network. The virtual IP address must belong to the network.

Disabling NLB Integration

To disable Network Load Balancing (NLB) integration, follow these steps:

  1. In the console tree of ISA Server Management, expand the array node, expand Configuration, and click Networks.

  2. In the details pane, click the Networks tab, and then click the applicable network.

  3. In the task pane, on the Tasks tab, click Disable Network Load Balancing Integration.

  4. Follow the on-screen instructions.

    Important

    When you enable or disable integrated NLB mode, all array members must be restarted.
    To disable NLB completely, first disable NLB for each network. For instructions, see Enabling NLB for a Network in this document. Then, apply changes and verify that the changes were applied to each array member. Finally, disable NLB integration.
    When you configure integrated NLB mode, Windows Server 2003 NLB settings are modified. When you uninstall ISA Server, the NLB configuration is reconfigured as follows:
    The network adapters are still bound to NLB.
    ISA Server does not uninstall the NLB network service, even if it was installed by ISA Server.

Draining NLB

To drain Network Load Balancing (NLB), follow these steps:

  1. In the console tree of ISA Server Management, expand the array node, and click Monitoring.

  2. In the details pane, click the Services tab.

  3. Select NLB on the applicable array member (server).

  4. In the task pane, on the Tasks tab, click Drain and Stop Selected Service to initiate draining and stop the selected service, or click Stop Selected Service to stop the selected service without draining.

    Note

    This task is available only when the status of NLB is Running.
    When you drain NLB on a server, only active connections will be served by this array member. For all future connections to the array, this server will not be included in the NLB algorithm.

Starting or Stopping a Service

To start or stop a service, follow these steps:

  1. In the console tree of ISA Server Management, expand the array node, and click Monitoring.

  2. In the details pane, click the Services tab.

  3. Select the applicable service: Microsoft Data Engine, Microsoft Firewall service, or Microsoft ISA Server Job Scheduler service.

  4. In the task pane, on the Tasks tab, click Start Selected Service to start the selected service, or click Stop Selected Service to stop the selected service.

    Note

    If the service is already stopped, Stop Selected Service will not be available on the Tasks tab.

Configuring and Securing Intra-Array Communication

As part of the installation process, an intra-array address is assigned to the array member. This address is set by default to an IP address on the Internal network. However, in a multi-server array, a dedicated network adapter is required on each array member for intra-array communication in Network Load Balancing (NLB) deployments. Furthermore, a dedicated network adapter provides enhanced security in other deployment scenarios, by isolating the network from malicious traffic.

The dedicated network adapter should use a dedicated hub or a virtual LAN, to help further secure the intra-array communication.

After you install a dedicated network adapter, perform the following steps, which are described in this document:

  • Specify the IP address of this network adapter to be used for intra-array communication. For instructions, see Configuring the Intra-Array Address.
  • Create a dedicated array-level network, which should include each array member’s intra-array address. For instructions, see Creating an Array-Level Network. When you create the network, specify its type as Internal.
  • On the network you created, configure the following:
    • Enable Web Proxy clients. For instructions, see Enabling Web Proxy Clients.
    • Disable Firewall client support. For instructions, see Disabling Firewall Client Support.

Configuring the Intra-Array Address

To configure the intra-array address, follow these steps:

  1. In the console tree of ISA Server Management, expand the array node, expand Configuration, and click Servers.

  2. In the details pane, select the applicable server.

  3. In the task pane, on the Tasks tab, click Configure Selected Server.

  4. On the Communication tab, in Use this IP address for communication between array members, select the IP address on the server to use for intra-array communication.

    Note

    When you reconfigure the intra-array address, the new address is added to the Array Servers computer set.

Creating an Array-Level Network

To create an array-level network, follow these steps:

  1. In the console tree of ISA Server Management, expand the array node, expand Configuration, and click Networks.
  2. In the details pane, select the Networks tab.
  3. In the task pane, on the Tasks tab, click Create a New Network.
  4. When the New Network Wizard starts, follow the on-screen instructions.

Enabling Web Proxy Clients

To listen for Web Proxy client requests, follow these steps:

  1. In the console tree of ISA Server Management, expand the array node, expand Configuration, and click Networks.

  2. In the details pane, click the Networks tab and select the applicable network.

  3. In the task pane, on the Tasks tab, click Edit Selected Network.

  4. On the Web Proxy tab, click Enable Web Proxy clients.

    Note

    Web Proxy client properties cannot be configured for the following built-in networks: External, Quarantined VPN Clients, and VPN Clients.

Disabling Firewall Client Support

To disable Firewall client support, follow these steps:

  1. In the console tree of ISA Server Management, expand the array node, expand Configuration, and click Networks.

  2. In the details pane, click the Networks tab and select the applicable network.

  3. In the task pane, on the Tasks tab, click Edit Selected Network.

  4. On the Firewall Client tab, clear Enable Firewall client support for this network.

    Note

    Firewall Client properties cannot be configured for the following built-in networks: External, Quarantined VPN Clients, and VPN Clients.
    If Internet Protocol security (IPsec) transport mode is enabled for a network, functionality for Firewall clients in that network may be impaired. If Firewall clients in the network do not behave as expected, disable IP routing.

Additional Information

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page (https://www.microsoft.com).