Help and Support
 

powered byLive Search

You cannot browse Web servers on a remote site when you use IPsec tunnels to connect sites on a Windows Server 2003-based computer that is running Internet Security and Acceleration Server 2004

View products that this article applies to.
Article ID:885351
Last Review:February 7, 2007
Revision:2.1

SYMPTOMS

You are using Internet Protocol security (IPsec) tunnels to connect remote sites to each other on a Microsoft Windows Server 2003-based computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004. When you or a user on another computer try to browse Web servers on the remote sites through the IPsec tunnels, you cannot browse the Web servers. All other traffic crosses the tunnels to and from the remote sites correctly.

Back to the top

CAUSE

This behavior may occur if you use a non-primary IP address as the local endpoint for an IPsec tunnel that connects the remote site networks. The following configurations are not supported in ISA Server 2004:
Network address translation (NAT) cannot be used as part of the connection between an internal network and a remote site network. Network traffic that is initiated from an internal network to a remote site network will not connect as expected.
A Web Proxy cannot be used as part of the connection between an internal network and a remote site network.

Back to the top

RESOLUTION

To resolve this behavior, follow these steps:
1.When you connect multiple IPsec remote site networks to the same Microsoft Windows Server 2003 based-computer that is running ISA Server 2004, define a unique IP address for each local endpoint of each IPsec tunnel on the remote site networks.

For additional information about how to define a unique IP address for the local endpoint of an IPsec tunnel, visit the "To specify an IPsec tunnel" Web page on the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver/en/library/8C7F14B7-6A1A-45FE-B10B-DA9EEDA4A7351033.mspx (http://technet2.microsoft.com/windowsserver/en/library/8C7F14B7-6A1A-45FE-B10B-DA9EEDA4A7351033.mspx)
2. HTTP traffic can be enabled by defining a new protocol that is not configured for the Web Proxy application filter. For example, define a new protocol named HTTP1. Use the new protocol in a rule that enables HTTP traffic to the specific remote site network. If multiple IPsec remote site networks require NAT/HTTP functionality, use a dedicated network adaptor for each remote site network. Use the primary IP address on the network adaptor as the local endpoint.

For additional information about how to create a protocol definition, visit the "To create a protocol definition" Web page on the following Microsoft Web site:
http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddocs/en-us/isadocs/m_p_h_protdefcreate.mspx (http://www.microsoft.com/resources/documentation/isa/2000/enterprise/proddocs/en-us/isadocs/m_p_h_protdefcreate.mspx)

Back to the top

MORE INFORMATION

For more information about connecting remote sites, visit the "Connecting Remote Sites" Web page on the following Microsoft Web site:
http://technet2.microsoft.com/WindowsServer/en/library/6c9dddfa-a680-48d5-8ba7-9fcfc97eb39d1033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/6c9dddfa-a680-48d5-8ba7-9fcfc97eb39d1033.mspx?mfr=true)
For more information about IPsec Tunneling, visit the "What Is IPsec Tunneling?" Web page on the following Microsoft Web site:
http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_ipsectunnel.htm (http://www.microsoft.com/windows/windows2000/en/advanced/help/sag_ipsectunnel.htm)

Back to the top

APPLIES TO
Microsoft Internet Security and Acceleration Server 2004 Standard Edition

Back to the top

Keywords: 
kbtshoot kbprb KB885351

Back to the top

Article Translations

 

Other Support Options

  • Need More Help?
    Contact a Support professional by Email, Online or Phone.
  • Customer Service
    For non-technical assistance with product purchases, subscriptions, online services, events, training courses, corporate sales, piracy issues, and more.
  • Newsgroups
    Pose a question to other users. Discussion groups and Forums about specific Microsoft products, technologies, and services.