Understanding the ISA Server 2000 Local Address Table

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Updated : October 10, 2003

On This Page

Overview
Concepts and Procedures
Scenarios
Additional Useful Information
Summary

Overview

The Microsoft® Internet Security and Acceleration (ISA) Server local address table (LAT) is a table of all IP address ranges in the internal network protected by the ISA Server computer. The LAT is configured during installation and can be modified using ISA Management after Setup is complete.

ISA Server uses the LAT to define "trusted" computers on the internal network. Anything not in the LAT is considered external and "untrusted" by ISA Server. An incorrectly configured LAT can result in the following:

• If the LAT incorrectly contains IP addresses associated with the external network adapter of the ISA Server, those external addresses will be treated as if they are part of your internal network, and they can access internal network resources, compromising your firewall security settings.

• If the LAT does not contain the entire range of IP addresses in your internal network, internal client requests may not be handled properly. For example, when an internal client makes a request to an internal computer that is not defined in the LAT, ISA Server will route the request to the Internet or redirect through the Firewall service, because any computer not in the LAT is considered to be an external resource.

This paper describes how to construct the LAT during Setup. It also details special considerations, depending on your network configuration and the type of clients supported by ISA Server.

Concepts and Procedures

This section includes:

• Constructing the LAT

• ISA Server clients and the LAT

Constructing the LAT

During Setup, you can either manually enter the internal IP address ranges to be included in the LAT, or select that ISA Server should construct the LAT automatically, based on the Windows Routing Table.

To enter IP address ranges during Setup, on the Setup page with the heading Enter the IP address ranges that span the internal network address space, do one of the following:

To configure the LAT manually

1. Type a start address in From, and an end address in To, and then click Add.

2. Repeat this process to enter all IP address ranges you want to include in the LAT.

To configure the LAT automatically

1. Click Table.

2. To include the IP address ranges defined by IANA for private use, select Add the following private ranges. These private IP address ranges are never used on the Internet, and can be securely included in your LAT.

3. To construct the LAT from information contained in the Windows routing table, select Add address ranges based on the Windows 2000 routing table.

4. In Select the address ranges that are associated with the following internal network adapters, select the internal network adapters whose address ranges you want to place in the LAT. Note that the address range associated with the adapter used for your external network should not be selected for inclusion in the LAT.

After Setup, you can modify the LAT from ISA Management, as follows:

1. In ISA Management, click to expand the Network Configuration node, and then click Local Address Table (LAT). In the details pane, you will see a range of IP addresses that define the internal network.

2. To add an additional address or set of addresses, right-click the Local Address Table (LAT) folder, click New, and then click LAT Entry.

3. Enter the range of IP addresses in the From and To fields. If you want to define individual servers, type the same IP address in both fields.

4. Provide a Description for the entry if required, and then click OK.

Special Considerations

When constructing the LAT, consider the following:

• When you construct the LAT manually, specifying an overlapping range of IP addresses is not recommended, and may cause unpredictable performance.

• You cannot specify a duplicate range when constructing the LAT manually. For more information, see article 279928 "Error Message: ISA Server Cannot Save the Properties. The IP Range Already Exists in the Local Address Table", in the Microsoft Knowledge Base.

• When constructing the LAT automatically from the Windows routing table, ensure that the table is first configured correctly. Any incorrect or incomplete information in the routing table will be duplicated in the LAT.

• In a complex internal network that consists of multiple networks on different subnets with routers connecting them, ensure that all subnets are included in the LAT. Otherwise, internal clients on the missing subnets will be considered as external and therefore untrusted. When constructing the LAT automatically, add subnets to the Windows routing table using the Route utility, or using a dynamic routing protocol such as Routing Information Protocol (RIP).

• A default gateway should never be set on the internal interface of the ISA Server computer. Instead, in a complex network, create static routes for your internal network, to provide ISA Server with a persistent path to reach all subnets. Use the Route utility to create these routes. The simplest way to do this is to define a classless route that includes all subnets on the ISA Server computer. Classless routing consolidates multiple subnet addresses that share the same high-order bits into one logical network. The subnet mask is shortened to take bits away from the network portion of the address and add them to the host portion. For example:

  Class C Network Addresses

  NET199.199.5.0(1100 0111.1100 0111.0000 0101.0000 0000)

  NET199.199.6.0(1100 0111.1100 0111.0000 0110.0000.0000)

  NET199.199.7.0(1100 0111.1100 0111.0000 1100.0000.0000)

  MASK255.255.252.0 (1111 1111.1111 1111.1111 1100.0000 0000)

  For routing, only the bits covered by the subnet mask are used, and all these addresses appear to be part of the same network for routing purposes. Most routers support classless routing. Use the route -p command to make the entry persistent between computer restarts.

ISA Server Clients and the LAT

This section includes:

• Firewall clients

• SecureNAT clients

Firewall Clients

The Firewall client uses the LAT together with the Local Domain Table (LDT) to determine whether requests made by Winsock applications are external and should be sent to the ISA Server computer, or internal and sent directly to a computer in the LAT. The LDT contains the names of all the domains on the internal network served by ISA Server and should not contain external domain names.

Both the LAT and the LDT are maintained centrally on the ISA Server. During the Setup installation of the Firewall client component, a copy of each table is installed on the client computer. The LAT is in the Msplat.txt file, and the LDT is in the Mspclnt.ini Firewall client configuration file. These files are automatically updated on client computers by a control channel, every 6 hours by default or when the client computer restarts. You can also force a refresh by clicking Update Now in the Firewall Client Options dialog box on the client computer.

Because ISA Server overwrites the Msplat.txt file at regular intervals with a fresh version downloaded from the server, any changes you make at the client are lost each time the file is updated. To avoid this, use a text editor to create a custom client LAT file named Locallat.txt and place it in the client computer’s Firewall Client folder. You can add additional IP address ranges that the client recognizes as part of the internal network. In the following example, the first entry is an IP address range and the second entry is a second IP address (not a subnet mask):

• 10.51.0.010.51.255.255

• 10.52.144.10310.52.144.103

The Firewall client deals with IP requests as follows:

• When a Winsock application on the client computer tries to connect to an IP address, the Firewall client examines the LDT to determine whether the IP address is on the internal network or external to the network. If the domain name is found in the LDT, name resolution is completed by the client. Otherwise, the client requests that ISA Server resolve the name on its behalf by passing the request to an external DNS server.

• After name resolution returns the IP address of the destination server, the Firewall client checks the LAT and Locallat.txt to determine whether the address is local. For internal addresses, the client connects directly. Otherwise, the request goes through the Firewall service on the ISA Server computer.

SecureNAT Clients

SecureNAT clients do not use the LAT to distinguish between internal and external computers. Instead, requests for external resources are made by ISA Server on behalf of the SecureNAT client. In a simple network with no routers configured between the client and ISA Server, the SecureNAT client’s default gateway setting is set to the default IP address of the ISA Server internal network adapter, either manually in the TCP/IP settings for each client, or automatically using DHCP.

In a complex network with routers between the SecureNAT client and the ISA Server internal adapter, this technique is not applicable. Instead, SecureNAT clients need some routing mechanism to get requests to the ISA Server. The default gateway of the SecureNAT client should be set to the IP address of the router in the local subnet, and each router in the chain to the ISA Server should provide the shortest route to the ISA Server internal adapter. Note that the router nearest to the ISA Server must be configured to route Internet traffic to the internal adapter interface, and routers should not be configured to discard packets destined for addresses outside the internal network.

Scenarios

This section includes the following scenarios:

• Configuring the LAT in a three-homed perimeter network

• Configuring the LAT in a back-to-back perimeter network

• Configuring the LAT in a VPN

Configuring the LAT in a Three-Homed Perimeter Network

In a three-homed perimeter network (also known as DMZ, demilitarized zone, and screened subnet), the ISA Server computer is set up with three network adapters:

• One network adapter connects to the internal network.

• The second network adapter connects to the network servers in the perimeter network.

• The third network adapter connects to the Internet.

• In such a scenario, the computers in the perimeter network are configured with public IP addresses and are not trusted as part of the internal network. These public IP addresses should not be included in the ISA Server LAT. Packets are routed from the external network to the perimeter network, and these routed packets are not subject to ISA Server access rules. Instead, packet filtering and IP routing should be enabled.

Configuring the LAT in a Back-To-Back Perimeter Network

In a back-to-back perimeter network configuration, an ISA Server (configured in Firewall or Integrated mode) is located on each side of the perimeter network. One server (ISASERVER1) is located between the Internal network and the perimeter network. The second server (ISASERVER2) is located between the perimeter network and the external network (Internet).

In such a scenario, the LAT on ISASERVER1 should contain the IP addresses of the internal network. The LAT on ISASERVER2 should contain the external IP address of ISASERVER1, and the IP addresses of all servers in the perimeter network.

In this configuration, the servers in the perimeter network could contain public IP addresses, or private IP addresses. If the perimeter network contains private IP addresses, access policy rules will be applied. Note however that even if the perimeter network contains private IP addresses, it is not trusted as part of the internal network, and its private IP addresses will not be part of the LAT in ISASERVER1. If the perimeter network contains public IP addresses, access policy rules are not applied — traffic is routed, and IP routing and packet filtering should be enabled.

Configuring the LAT in a VPN

Virtual private network (VPN) connections allow organizations to have routed connections with other organizations over a public network such as the Internet while maintaining secure communications. For example, VPN connections can be used to connect offices that are geographically separate. A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link. For example, you might set up a gateway-to-gateway VPN tunnel between your organization’s main headquarters and branch offices.

You run the Local VPN Wizard on the ISA Server on the local network, and the Remote VPN Wizard on the ISA Server on the remote network. When a computer on the local network communicates with a computer on the remote network, data is encapsulated and sent through the VPN tunnel.

When you run the Local VPN Wizard, you specify the following IP address ranges:

• A range of IP addresses on the remote internal network, accessible to local VPN clients. A static route containing this address range is created automatically. This range should be in the LAT of the remote computer.

• A range of IP addresses on the local internal network that will be available to VPN clients on the remote network. You can choose from the entire LAT and remove addresses that you do not want to be made available to VPN clients from the remote network. Then, when you run the Remote VPN Wizard to configure the remote VPN endpoint, a static route will be created automatically using the addresses you have specified.

In addition, note the following:

• All networks that can be reached by a gateway-to-gateway VPN connection must be available in the LAT, because they effectively act together as a single network. In a client-to-gateway VPN scenario, only the client computer becomes part of the network to which it connects.

• Any addresses assigned to VPN clients should be in the LAT ranges.

Additional Useful Information

This section includes:

• Common LAT errors and events

• Using the Route command-line utility

Common LAT Errors and Events

The following list outlines some common ISA Server errors and events related to the LAT.

Error When you modify the LAT or delete a LAT entry, you receive one of more of the following error messages:

ISA Server cannot save the properties (Error: 0x80040376)

ISA Server cannot delete the object (Error: 0x80040376. The IP address IP_address is an internal address on a Publishing server. The server publishing rule Rule_Name forwards client requests to this IP address.

Cause This error is caused when you attempt to delete a LAT entry that is in use in a server publishing rule.

Workaround Either delete the server publishing rule, or ensure that the LAT includes the IP address of the published server. For more information, see article 250293, "ISA Server Error Message 'Cannot Save Modifications to LAT' Is Displayed", in the Microsoft Knowledge Base.
Error When you modify the LAT, you may receive the following error message:

ISA Server cannot save the properties. (Error 0x80040340. The IP range already exists in the LAT)

Cause This error is caused if you attempt to enter an exact duplication of a current LAT entry. The use of overlapping entries in the LAT is not recommended and may cause unpredictable performance. Duplication of an entry in the To and From IP range is not permitted.

Workaround Do not enter duplicate IP ranges, and avoid entering overlapping ranges where possible. For more information, see article 279928, "Error Message: ISA Server Cannot Save the Properties. The IP Range Already Exists in the Local Address Table", in the Microsoft Knowledge Base.
Error When you configure the LAT in an array installation, you receive the following error message when you try to connect to the array in ISA Management:

ISA Error. The operation failed.. (Error 0x8007203a). The server is not operational.

Cause This error is caused when you accidentally configure the LAT so that only external interfaces are included, the internal network becomes the external side of ISA Server. The array will not be able to query Active Directory for the configuration, and ISA Server control service will not start.

Workaround To fix the LAT, you need to get to another computer or ISA array that is running the ISA Management user interface. If none are available, you can install the ISA Management tool on a Windows computer that is connected to the domain. In ISA Management, click Connect to in the root node of ISA Management and specify the array you want to manage. You can then modify the LAT for correct values, and restart the ISA Server computers in the affected array. For more information, see article 282035, "Unable to Control ISA If LAT Configuration Prevents Access to Domain Controller", in the Microsoft Knowledge Base.

Events Logged 7023/7024/11009/12012/13110
Error When you run the Internet Connection Wizard (ICW) for Small Business Server 2000 or BackOffice Server 2000 with ISA Server installed, you may receive the following error messages:

The Internet Connection Wizard was interrupted because of an error or user intervention. Details have been recorded in the file Icwlog.txt.

The specified IP address of your local network card is not recorded in the Local Address Table (LAT) of ISA server. You must either change the IP address of your network card to one that is recorded in the LAT, or edit the LAT to include this IP address.

Cause These errors occur if the server interface IP address is not in the LAT. This error is most common in cases where two logical network interfaces exist (for example, a network adapter and a Point-to-Point serial Protocol adapter such as dial-up networking interface adapter), and both interfaces have public IP addresses. This can occur as the result of changing the IP address of the internal interface on the server.

Workaround Either change the IP address of the network adapter on the server to include it in the LAT, or modify the LAT to include a range of IP addresses that includes the IP address of one of your interfaces. Note that for best security practice, placing a public IP address in the LAT is not recommended. For more information, see article 293286, "Internet Connection Wizard Does Not Succeed When the Server Does Not Have an Interface in the LAT", in the Microsoft Knowledge Base.

Events Logged 7024/14017

Event 14017 Incorrect network configuration. The server address is not internal and is not in the LAT.

Action Check that the IP address configured for the internal network adapter for the server is included in the LAT.

Event 14089 Server publishing rule [%1] failed. Cannot create session for the server %2. Location %3.

Action Check that the internal server address is included in the LAT.

Event 14119 External interface could not be found for packet filtering.

Action Check that the LAT includes addresses associated with the ISA Server external interfaces.

Event 14120 ISA Server services cannot create a packet filter %1.

Action This event occurs when there is a conflict between the LAT configuration and the Windows 2000 routing table. Check both tables to find the source of the conflict. If there is no conflict in the LAT, for other possible sources of this event error, see article 288396, "ISA Server Event 14120 Is Logged and Packet Filter Cannot Be Created", in the Microsoft Knowledge Base.

Event 14121 Packet filter dial-out interface cannot be rebound.

Action Check that the LAT configuration is correct.

Event 14123 Failed to create the IP packet filter.

Action Check that the LAT configuration is correct.

Using the Route Command-Line Utility

You can use the Route command-line utility to view and edit the computer’s IP routing table. The Route command and syntax is as follows:

route [-f] [-p] [Command [Destination] [mask Netmask] [Gateway] [metric Metric]] [if Interface]]

-f	Clears the routing table of all gateway entries.
-p	Makes a route persistent when used with the add command.
Command	Specifies the command you want to run (Add/Change/Delete/Print).
Destination	Specifies the network destination of the route.
mask Netmask	Specifies the netmask (also known as a subnet mask) associated with the network destination.
Gateway	Specifies the forwarding or next hop IP address over which the set of addresses defined by the network destination and subnet mask are reachable.
metric Metric	Specifies an integer cost metric (ranging from 1 to 9999) for the route, which is used when choosing among multiple routes in the routing table that most closely match the destination address of a packet being forwarded.
if Interface	Specifies the interface index for the interface over which the destination is reachable. For a list of interfaces and their corresponding interface indexes, use the display of the route print command. You can use either decimal or hexadecimal values for the interface index.
/?	Displays help at the command prompt.

Examples

To display the entire contents of the IP routing table, type:

route print

To display the routes in the IP routing table that begin with 10., type:

route print 10.*

To add a default route with the default gateway address of 192.168.12.1, type:

route add 0.0.0.0 mask 0.0.0.0 192.168.12.1

To add a route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0 and the next hop address of 10.27.0.1, type:

route add 10.41.0.0 mask 255.255.0.0 10.27.0.1

To add a persistent route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0 and the next hop address of 10.27.0.1, type:

route -p add 10.41.0.0 mask 255.255.0.0 10.27.0.1

To add a route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0, the next hop address of 10.27.0.1, and the cost metric of 7, type:

route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 metric 7

To add a route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0, the next hop address of 10.27.0.1, and using the interface index 0x3, type:

route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 if 0x3

To delete the route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0, type:

route delete 10.41.0.0 mask 255.255.0.0

To delete all routes in the IP routing table that begin with 10., type:

route delete 10.*

To change the next hop address of the route with the destination of 10.41.0.0 and the subnet mask of 255.255.0.0 from 10.27.0.1 to 10.27.0.25, type:

route change 10.41.0.0 mask 255.255.0.0 10.27.0.25

Summary

Careful configuration of the Windows Routing Table and LAT during installation ensures that you avoid future problems associated with incorrect or incomplete LAT settings, and keeps your network secure by correctly identifying internal, trusted IP addresses, and external, untrusted addresses. Be careful to include internal addresses of all subnets in the LAT, and to exclude external addresses that are not part of your internal network.