ISA Server 2004, ISA Server 2006, and Microsoft Forefront Threat Management Gateway, Medium Business Edition do not support traffic redirection

Summary

This article discusses how to troubleshoot an issue that occurs when a client computer on a remote subnet sends TCP traffic to another internal computer.

More Information

When a client computer that is behind Microsoft Internet Security and Acceleration (ISA) Server 2004, Microsoft ISA Server 2006, or Microsoft Forefront Threat Management Gateway, Medium Business Edition sends traffic to another internal computer, the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer may drop the traffic.

This behavior occurs when TCP packets in one direction follow a route that does not involve ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition, and TCP packets in the other direction follow a route that does involve ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition.

For example, consider a client computer on a remote subnet that is behind an internal network. In this case, the remote subnet is separated from the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer by a router. When the client computer sends a packet to another client computer that is located on the internal network, the traffic is forwarded directly to the computer on the internal network.

When the client computer on the internal network responds, the packet is routed through ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition because this computer has the IP address of the internal network defined as its default gateway. ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition has no route back to the remote subnet. Therefore, the source IP address is identified as spoofed.

This issue occurs even when the server has valid routes to both source and destination subnets. In this situation, the TCP connection request (SYN) from the client to the server bypasses ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition. However, the SYN-ACK packet is routed to the server and dropped with a TCP_NOT_SYN_PACKET error. In short, both sides of a TCP session must go through the ISA Server or Microsoft Forefront Threat Management Gateway, Medium Business Edition computer.

This behavior may not occur with User Datagram Protocol (UDP) traffic, or Internet Control Message Protocol (ICMP) traffic.

For more information about how to troubleshoot this issue and other network configuration issues, visit the following Microsoft Web site:For more information about how to configure ISA Server 2004 networks, visit the following Microsoft Web site:
Propriétés

ID d'article : 888042 - Dernière mise à jour : 7 nov. 2008 - Révision : 1

Commentaires