ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs
What does this mean and how can one go about correcting it?
In simple terms, this error message indicates that traffic has arrived at an ISA Server interface where ISA would not have expected to see it arrive.
In reality, this is a simple error to correct if you consider how ISA Server operates. ISA Server is NOT a router - despite common beliefs to the contrary. ISA is a server application that uses the host operating system to provide underlying services such as network addressing and routing.
To demonstrate, lets take a new ISA Server installation with two network cards as an example. The following attributes are set within the operating system via the Control Panel - Network Connections - TCP/IP settings:
Interface | IP Address | Mask | Gateway
External | 172.30.6.1 | 255.255.255.0 | 172.30.6.254
Internal | 192.168.14.2 | 255.255.255.0 | None
By default, ALL IP addresses are treated as hostile by ISA Server and therefore they are associated with the ISA Server External network entity. Any IP address that needs to be identified as associated with the internal network must be added to the Local Address table or LAT. The LAT is updated using the ISA GUI by selecting the following options - Configuration - Networks - Internal - Properties - Addresses. This allows you to add the IP addresses that the ISA Server will expect to see arrive on its internal network interface. ONLY the addresses added in this way become associated with the internal network card from the ISA Server application point of view.
Here comes the crunch. The internal NIC in this example, from the operating system point of view, is using 192.168.14.4 with a class C subnet mask. Therefore the entry required in the ISA LAT for the internal network is 192.168.14.0 - 192.168.14.255. Using these settings would prevent the error message identified in the title from occurring.
Unfortunately, many people only put IP addresses into the LAT based on the 'useable' IP address range of 192.168.14.1 - 192.168.14.254 rather than all of the IP addresses.
Think about this a little - what happens now when, on the internal network, some form of netbios broadcast or similar takes place? What address will that use? Absolutely - a broadcast will be sent to the 192.168.14.255 address which, if only the useable IP addresses have been added to the LAT, will be treated as hostile.
So, what does that mean?
ISA server has a network card in the 192.168.14.0 network and therefore will receive a copy of the broadcast packet sent to the .255 address, the same as ALL machines on that subnet will receive it. However, ISA will see that the .255 address is NOT included in the LAT entry for the internal network. Therefore, ISA would never expect to see a packet destined for the .255 address arrive on its internal interface. It will treat this as a spoof attack and generate the error message.
Therefore, you MUST include the broadcast address inside the LAT entry. We add the network ID too (in this case the .0) for completeness.
The same concept applies if you have a third network card added to act as a DMZ interface. In the ISA GUI - Configuration - Networks - DMZ_NIC - Properties - Addresses - all of the IP addresses including the ID and the broadcast address would be added.
It should be remembered that this is also the reason why a common subnet cannot be used on both an internal and external network card for ISA. The LAT table must include the WHOLE network range.