Troubleshooting Network Configuration in ISA Server 2004
Microsoft Internet Security and Acceleration (ISA) Server 2004 introduces a multi-networking model that allows you to control traffic between internal and external networks, and within your organization by means of firewall policy rules. You define network objects in ISA Server Management, and configure relationships to specify whether traffic should be routed between them, or have network address translation (NAT) applied. Networks objects you define are used as source and destination elements in access rules you configure to specify what traffic is allowed or denied between networks in your infrastructure. The general process can be summarized as follows:
Create network objects, or modify ISA Server predefined network objects. Network objects you can define include networks (a range of Internet Protocol (IP) addresses), network sets (set of networks), computers, computer sets, address ranges (set of contiguous IP addresses), subnets, Uniform Resource Locator (URL) sets, and domain name sets.
Create network rules to configure how traffic is passed between networks in your organization. ISA Server checks network rules to determine whether source and destination networks are allowed to connect, and if so, whether traffic requests should be routed or have NAT applied.
Create firewall policy rules to expose traffic between networks to stateful filtering and application layer traffic inspection. Traffic is allowed or denied based on the parameters in the rules you create.
For more information about configuring ISA Server networks, see Best Practices for Configuring Networks in ISA Server 2004 at the ISA Server Configuration and Administration Web site.
This document describes a number of common issues you might encounter when configuring networks in ISA Server 2004, and provides recommendations for problem solving or workarounds.
Problem: The Local Host network (ISA Server computer) is configured to allow Web Proxy client requests, and traffic is allowed to the External network, but internal clients have no Internet access.
Cause: The Local Host network represents the ISA Server computer. To allow internal clients Internet access, you must allow traffic between the network in which the clients are located (usually the Internal network) and the External network. Following installation, there is a predefined system policy rule allowing the Local Host network to connect to all networks. No such default rule exists to allow traffic from the Internal network.
Solution: Configure an access rule to allow Hypertext Transfer Protocol (HTTP) access from the network in which clients are located (usually the Internal network) to the External network. Then enable Web proxy access on the network.
Problem: After installing ISA Server 2004 on a computer running Microsoft Windows Small Business Server 2003 (Windows SBS) server software, communication from internal networks does not work as expected.
Cause: By default following installation, ISA Server 2004 blocks all traffic to and from the ISA Server computer. The ISA Server computer is represented by the Local Host network.
Solution: Create access rules to allow traffic from the Internal network to the ISA Server computer (Local Host network), and vice versa.
Problem: Multiple external connections to the Internet are needed for ISA Server. For example, you need to use one Internet connection for sending mail only, and you need a separate external connection to the Internet for user browsing.
Cause: ISA Server does not support configuring multiple connections on the External network adapter.
Solution: No workaround. There are a number of third-party products that may provide a solution. For more information, see High Availability and Load Balancing on the Partners page at the ISA Server Web site.
Problem: A client computer protected by ISA Server sends traffic to another internal computer, and ISA Server drops the traffic. This may not occur with User Datagram Protocol (UDP) and Internet Control Message Protocol (ICMP) traffic.
Cause: This issue may occur when packets in one direction go through a route that does not involve ISA Server, and packets in the other direction go through ISA Server. This is illustrated in the following scenario:
There is a remote subnet behind the Internal network, and the remote subnet is separated from the ISA Server computer by a router.
A client computer on the remote subnet sends a packet to a client computer on the Internal network. Traffic is forwarded directly to the computer on the Internal network.
The client in the Internal network responds, and the packet is routed through ISA Server because this computer has the IP address of the ISA Server Internal network defined as its default gateway.
ISA Server has no route back to the remote subnet. It does not see the source IP address as valid, and this triggers the spoof response.
This is illustrated in Figure 1.
Figure 1: Communication session
Solution: You can use either of the following methods to work around this issue:
Create default routes on the local internal hosts for all remote internal subnets. For example, if your network is configured as illustrated in Figure 1, follow these steps on the computer where the IP address is 10.0.0.3:
Click Start, click Run, type cmd, and then click OK.
Type route -p add 192.168.0.0 mask 255.255.255.0 10.0.0.2. Then press the Enter key.
- Click Start, click Run, type cmd, and then click OK.
Specify the local routers as the default gateway for computers located on the same subnet as the ISA Server internal interface. If you want to support requests from SecureNAT clients in the remote subnet or local subnet, specify the internal ISA Server interface as the default gateway of the router.
Problem: ISA Server responds with the following IP spoofing message:
Event 15108: ISA Server detected a spoof attack from Internet Protocol (IP) address IP_address, when trying to access a network resource.
This event might also appear:
Event 14147: ISA Server detected routes through network adapter adapter_name that do not correlate with the network element to which this adapter belongs.
Cause: One of the most common causes of this issue is that two network adapters are associated with the same network. When you define IP address ranges for a network, ISA Server checks all network adapters. When an adapter with an IP address in a network's range is found, the adapter is associated with that network.
In a network that has a subnet accessible by ISA Server through routers, ISA Server checks if the subnet ranges are also included in a network object definition. If you define a separate network object for such subnets, ISA Server will try to locate an adapter with an IP address of the network object, and fail. ISA Server assumes that the adapter is not available (disconnected or disabled), and sets network object status to disconnected.
Solution: For a specific solution to event 15108, see the Knowledge Base article 840681, "Attempts to access published resources are logged as spoof attacks with event ID 15108 in ISA Server 2000." In addition, follow these best practices when defining your network configuration in ISA Server:
Include all network ranges for subnets in a network object's properties. (For example, if your Internal network includes routed subnets, include the IP addresses of the remote subnets in the IP address definition of the Internal network.)
If you need to create access rules between routed subnets not associated with a network adapter, create subnet objects on the Toolbox tab in ISA Server Management. Then create access rules using these objects as source or destination networks.
Problem: ISA Server is logging Event 14147: ISA Server detected routes through adapter adapter_name that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: ip_range.
This indicates that routes not associated with a network object were detected.
Cause: ISA Server uses the route table and route entries associated with a network interface to understand the network topology. This event is issued when there is a mismatch between the routing table and the IP address ranges associated with an ISA Server network object.
Solution: Troubleshoot this issue by checking the following:
Check that the same IP addresses are not configured in more than one network.
Verify that the IP address range is configured correctly for the network object. You can reconfigure the network object by removing the IP address ranges associated with it, and then using Add Adapter to select the specific adapter you want to associate with the network.
If IP addresses are not configured correctly after using Add Adapter, check that the routing table is configured correctly. In particular, if there are any remote subnets connected to the network associated with the adapter, check the following:
Static routes are defined to reach the remote subnet.
The ISA Server network definition includes the IP address range of the remote subnet.
For more information, see the Knowledge Base article 884496, "Client computers cannot access external resources, and event ID 14147 appears in the Application log in ISA Server 2004."
Problem: Intra-domain communication is not configured between networks so that a Web server (member of internal domain) in the perimeter network can contact the domain controller situated in the Internal network.
Cause: Network rules and access rules need to be configured between the perimeter network and other network objects to allow access.
Solution: To enable the perimeter Web server to contact a domain controller in the Internal network, configure the following:
A network rule specifying a route relationship between the two networks.
An access rule with the Web server in the perimeter network as the source network, and the domain controller in the Internal network as the destination network.
For more information, see the following:
Allowing Intradomain Communications through the ISA Firewall (2004) at the ISAServer.org Web site
Knowledge Base article 179442, "How to configure a firewall for domains and trusts"
Knowledge Base article 274438, "Cannot Use Kerberos Trust Relationships Between Two Forests in Windows 2000"
Windows Server 2003 Trust Enhancements at the Microsoft TechNet Web site
Problem: Outgoing e-mail messages through ISA Server are rejected.
Cause: When applying NAT to client requests to remote destinations, ISA Server calculates the IP address of the adapter to be used based on the TCP/IP routing mechanism (routing table). The address chosen is the same address that would be used if ISA Server tried to create a connection (for example, a TCP connection) with the server downstream. Generally, this is the primary IP address, where the primary IP address is the first address bound to the adapter interface (the default IP address). All other addresses are secondary. This may be problematic in some Simple Mail Transfer Protocol (SMTP) scenarios. When receiving mail, servers do a reverse lookup before accepting mail. E-mail messages may be rejected if the primary IP address cannot be located in a mail exchanger (MX) record for the domain. This can occur when you have multiple mail servers with different MX records registered.
Note that this issue does not affect mail sent by Internet mail servers to your domain. In this case, a mail server doing a lookup finds the MX record and the external IP address on which SMTP is published. The e-mail message arrives at the ISA Server computer and is forwarded to the mail server.
Solution: Where there is a NAT relationship defined between networks, there is no workaround. You cannot configure one-to-one NAT as you can in server publishing. Instead, you must assign the IP address on the MX record as the primary IP address on the external network adapter. As an alternative, you can configure a route relationship between the mail servers and the External network, if appropriate. Remember that in a route relationship, internal IP addresses are not hidden as they are in a NAT relationship.
Problem: Server publishing is not working when ISA Server is installed with a single network adapter.
Cause:Server publishing is not supported when ISA Server is configured with a single network adapter. In this configuration, ISA Server recognizes only the Internal network. There is no separation of Internal and External networks, and ISA Server cannot provide the NAT functionality required in a server publishing scenario.
Solution: Use Web publishing rules where appropriate, or install another network adapter.
For a discussion of best practices, supported scenarios, and limitations when running ISA Server with a single network adapter, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the Microsoft TechNet Web site. See also ISA Server online Help.
Problem: Internal clients are denied access to the Internet by the default deny rule, even though network rules and access rules are configured between the Internal and External networks to allow access.
Cause: ISA Server with a single network adapter recognizes only the Internal network.
Solution: If ISA Server is installed on a single adapter computer, ensure the following:
Apply the Single Network Adapter network template. You can apply templates from the Networks tab of the Configuration node in ISA Server Management.
Define access rules between the Internal network and the Internal network.
Problem: The ISA Server computer has a single adapter, and you want to use some ISA Server features that require another adapter.
Cause: More than one adapter is needed.
Solution: Physically add other adapters, and then run the suitable template wizard. For example, if you have added an additional network adapter, you can configure ISA Server with the Edge Firewall network template, the Front Firewall network template, or the Back Firewall network template. If you have added two additional network adapters to set up a perimeter scenario, you can configure the 3-Leg Perimeter network template. For more information, see the topic Network Templates in ISA Server online Help.
Problem: Network rules with a route relationship are configured and access rules allow traffic, but traffic is not routed between two network objects, and PING fails.
Cause: This may occur if network rules are incorrectly configured, or IP addresses are not defined properly for network objects.
Solution: Check the following:
Check that a network rule exists between the two objects and is correctly configured.
Ensure that the IP addresses defined in the network objects between which you want to route are not included in definitions of any other network objects.
Ensure that the network object contains the addresses of all remote subnets that can be reached from the adapter associated with the network object.
Check hardware configuration and settings.
Problem: ISA Server cannot obtain a Dynamic Host Configuration Protocol (DHCP)-assigned IP address on the external interface.
Cause: ISA Server uses system policy rules to control traffic from the ISA Server computer (Local Host network). If DHCP traffic is not enabled, ISA Server will not be able to obtain a DHCP-assigned IP address.
Solution: Enable the DHCP system policy rule: Allow DHCP replies from DHCP servers to ISA Server. You can specify the External network in the rule or preferably the specific IP address of the external DHCP. For more information, see the Knowledge Base article 841141, "The external network adapter on your ISA Server 2004 computer cannot obtain a valid IP address from a DHCP server."
Problem: Internal clients cannot obtain a DHCP address. The DHCP server is located with ISA Server.
Cause: The Internal network object does not include the broadcast address from the Internal network IP address range.
Solution: Add the broadcast address to the Internal network definition. Ensure that there is a protocol and rule allowing DHCP requests and replies for the Local Host and Internal networks. For more information about locating DHCP with ISA Server, see Configuring the ISA Server Computer as a DHCP Server at the Microsoft TechNet Web site.
Problem: Clients located in a perimeter network cannot access resources in the Internal network or browse the Web through ISA Server.
Cause: This is caused by incorrect or missing settings, including: network definitions, network rules, access rules, or client configuration.
Solution: Troubleshoot this issue as follows:
Check the definition of the perimeter network. Ensure that the perimeter network does not contain IP addresses that are defined in other networks.
Verify that network rules are configured correctly. A typical configuration would be a NAT relationship between the perimeter network and the External network, and a route relationship between the perimeter network and the Internal network. For more information about configuring network rules, see Best Practices for Configuring Networks in ISA Server 2004 at the ISA Server Configuration and Administration Web site.
Check that access rules allowing traffic are correctly defined.
You can apply the 3-Leg Perimeter network template to configure network rules and firewall policy that typically correspond with a perimeter scenario, and then modify them as required. Note that when you apply a network template, any access rules you have defined will be overwritten. For more information, see the topic 3-Leg Perimeter network template in ISA Server online Help.
Problem: To allow access from only a narrow range of IP addresses, a custom External network was defined. Now users from that External network cannot use a virtual private network (VPN) to access ISA Server. Users from the predefined External network can use a VPN successfully.
Cause: Creating a custom External network for which ISA Server does not have an associated network adapter is not a valid configuration.
Solution: Do not create another External network. To limit access to certain Internet sites, define IP addresses as an address range and use these address range network objects as the rule destination in access rules. For a suggested solution, see Excluding Specific Addresses from VPN Source Networks in ISA Server 2004 at the Microsoft TechNet Web site.
Problem: You have ISA Server installed on a computer with two network adapters. Your infrastructure consists of four subnets connected by routers on the Internal network. You have created networks for each subnet, but traffic is not flowing between ISA Server and some of the networks.
Cause: All IP addresses behind an ISA Server network adapter are considered as part of the same network. So even if you have routed subnets, ISA Server treats them as a single network. You should only create ISA Server networks for interfaces connected to ISA Server. (The only exception to this is networks representing remote VPN sites.)
Solution: Remove the network objects you have defined for any routed subnets. Add the IP address ranges for these subnets into the Internal network definition. If you require access rules to control traffic between the Internal network and these remote subnets, create a subnet network object and use this as an access rule element. You can create network objects on the Toolbox tab of the Firewall Policy node in ISA Server Management. The other alternative is to add additional network adapters to the ISA Server computer.
Problem: The Layer Two Tunneling Protocol (L2TP) connection is connected, but no traffic is flowing through the VPN tunnel.
Cause: There may be overlapping static routes.
Solution: Check the following:
Check that static routes are configured correctly in the routing table.
Check the remote network configuration. The IP address range of the remote VPN site network should not overlap with ISA Server network definitions.
Check the relationship between VPN sites. When two-way communication is required between VPN networks, establish a route relationship, because a NAT relationship is one way. However, you can enable communications by defining a route relationship on one of the VPN networks and a NAT relationship on the other. If computers communicating across the networks have public IP addresses, a route relationship can be created without concern about address duplication, because public IP addresses are unique. Where computers have private IP addresses, there is a risk of duplicate addresses.
Check that access rules controlling traffic to and from the remote network are configured as required.
For more information about configuring site-to-site VPN connections, see Site-to-Site VPN in ISA Server 2004 at the Microsoft TechNet Web site.
Problem: You have created a perimeter network, but clients in the perimeter network cannot communicate as expected.
Cause: Only two network adapters are installed on the ISA Server computer. ISA Server requires a separate physical interface for each network. You cannot split the external network adapter address range between the perimeter and External network.
Solution: Add another network adapter to the computer so that each ISA Server network only maps to a single network adapter.