Can’t browse Web servers on a remote site when using IPsec tunnels to connect sites on a Windows Server 2003-based computer that is running ISA Server 2004, ISA Server 2006, or Forefront Threat Management Gateway


 


SYMPTOMS:



You are using Internet Protocol security (IPsec) tunnels to connect remote sites to each other on a Windows Server 2003-based computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004 or ISA Server 2006, or on a Windows Server 2008-based computer that is running Microsoft Forefront Threat Management Gateway, Medium Business Edition. When you or a user on another computer try to browse Web servers on the remote sites through the IPsec tunnels, you cannot browse the Web servers. All other traffic crosses the tunnels to and from the remote sites correctly.


 


CAUSE:



The following configurations are not supported in ISA Server 2004, in ISA Server 2006, or in Microsoft Forefront Threat Management Gateway, Medium Business Edition:


·         Network address translation (NAT) cannot be used as part of the connection between an internal network and a remote site network. Network traffic that is initiated from an internal network to a remote site network will not connect as expected.


·         A Web Proxy cannot be used as part of the connection between an internal network and a remote site network.



RESOLUTION:


 


1.     HTTP traffic can be enabled by defining a new protocol that is not configured for the Web Proxy application filter. For example, define a new protocol named HTTP1. Use the new protocol in a rule that enables HTTP traffic to the specific remote site network. If multiple IPsec remote site networks require NAT/HTTP functionality, use a dedicated network adaptor for each remote site network. Use the primary IP address on the network adaptor as the local endpoint.

For more information about how to create a protocol definition on ISA Server 2004 and on ISA Server 2006, visit the "To create a protocol definition" Web page on the following Microsoft Web site:


http://technet.microsoft.com/en-us/library/bb838964.aspx (http://technet.microsoft.com/en-us/library/bb838964.aspx)


For more information about how to create a protocol definition on Microsoft Forefront Threat Management Gateway, Medium Business Edition, visit the following Microsoft Web site:


http://technet.microsoft.com/en-us/library/cc441512.aspx (http://technet.microsoft.com/en-us/library/cc441512.aspx)


 



How can I make sure that the Custom HTTP protocol that I have created is being used for the IPSEC VPN traffic:


 


To allow the nonstandard HTTP traffic, you need to create two access rules:


·        An access rule that uses the CustomHTTP protocol and allows traffic from the VPN Clients network to the computer object representing the Web server.


·        An access rule that uses the predefined HTTP protocol and denies traffic from the VPN Clients network to the computer object representing the Web server.


 


The new allow rule must come before your original rule that allows HTTP traffic from the VPN Clients network to the Internal network in the ordered list of policy rules, and the new deny rule should be placed immediately after the new allow rule.


 


The following table lists the rules that you should have to enable traffic in this scenario:


 







































Order


Name


Action


Protocols


From


To


1


Allow CustomHTTP to Remote Web Server


Allow


CustomHTTP


VPN Clients/ Internal


Internal /Remote Site


2


Deny HTTP to Remote Web Server


Deny


HTTP


VPN Clients and Remote Site


Nonstandard HTTP Server


3


Allow HTTP to Internal Servers


Allow


HTTP


Internal


External


4


Default rule


Deny


All Traffic


All Networks


All Networks


 


 


Comments (0)

Skip to main content