The access rule for the Generic Routing Encapsulation protocol does not take effect in ISA Server 2006

This article has been archived. It is offered "as is" and will no longer be updated.
Consider the following scenario:
  • In Microsoft Internet Security and Acceleration (ISA) Server 2006, you configure a custom protocol for raw IP protocol number 47. This is known as Generic Routing Encapsulation (GRE).
  • You configure an access rule to allow the custom protocol.
  • You send the GRE traffic between the networks that are defined in the access rule. For example, you send the Web Cache Coordination Protocol (WCCP) traffic from a router to a Web cache appliance. The WCCP traffic is encapsulated in GRE.
In this scenario, the access rule may not take effect, and the WCCP traffic may be blocked by ISA Server 2006.
This problem occurs because ISA Server 2006 incorrectly assumes that the GRE traffic is always encapsulating Point-to-Point Tunneling Protocol (PPTP) packets. Therefore, if the GRE packet does not contain a valid PPTP header, the traffic is blocked.
To resolve this problem, apply the hotfix that is mentioned in the following Microsoft Knowledge Base article:
959357 Description of the ISA Server 2006 hotfix package: October 29, 2008
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about GRE, visit the following Internet Drafts Web site:
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Article ID: 946715 - Last Review: 01/16/2015 02:40:11 - Revision: 2.0

  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
  • kbnosurvey kbarchive kbexpertiseinter kbfix kbsurveynew kbqfe KB946715