asked on

Two problems with installation of ISA server in Cache Mode.

We've installed ISA server in cache mode on a windows 2000 server. We are running dual intel nic's in load balancing mode. The server was just installed on Saturday.

1.) This morning we come in to find that there are a bunch of static routes added to the routing table. The IP addresses are from different sites (yahoo.com, hotmail.com, etc). The default route on the ISA server is our primary router at corporate. This router then directs all internet traffic to our Checkpoint firewall. The new routes in the ISA server point to the internal NIC of our Checkpoint firewall (as opposed to the default route of the corporate router). If I set the default route as the internal nic of the checkpoint firewall, nothing gets out. Why is the servers routing table being populated with routes to the checkpoint firewall as opposed to using the default route.

2.) We have the the access policy in ISA set to allow "All IP Traffic" out to any destination. We use our checkpoint firewall and websense to block and monitor specific traffic. When people try to stream certain internet radio stations, they get an error. The website that is posting the error is http://www.midi1.com The Technical Information on the page says the following:

-Background:
This error indicates that the gateway could not find the IP address of the website you are trying to access
-ISA Server: NETPROXY.xyz.com
Via:
Time: 11/10/2003 3:19:27 PM GMT

This error occurred at 10:19 AM EST. I've checked the time on our ISA server and it appears to be accurate. I know that some routing is time sensitive and I wonder if this could be the problem. Does our checkpoint firewall, ISA server, and Corporate Router all need to be on the same time (precisely...they are currently all within a minute or so of eachother)? Or is this a routing issue? Thanks for your help. This is the most valuable site I've found for this kind of info.

Steve

chicagoan

Can you post the output of ROUTE PRINT and IP CONFIG?
(edit any sensitive information b4 posting)

slaroche

ASKER

Route Print:

U:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 00 00 00 ea ...... Intel (R) Advanced Networking Services (iANS) ND
IS Intermediate Driver (Microsoft's Packet Scheduler)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.85.1 192.168.85.19 1
0.0.0.0 0.0.0.0 192.168.85.12 192.168.85.19 1
10.1.101.0 255.255.255.0 192.168.85.1 192.168.85.19 1
10.1.104.0 255.255.255.0 192.168.85.1 192.168.85.19 1
10.1.105.0 255.255.255.0 192.168.85.1 192.168.85.19 1
10.1.106.0 255.255.255.0 192.168.85.1 192.168.85.19 1
10.1.108.0 255.255.255.0 192.168.85.1 192.168.85.19 1
10.1.110.0 255.255.255.0 192.168.85.1 192.168.85.19 1
10.1.124.0 255.255.255.0 192.168.85.1 192.168.85.19 1
10.1.150.0 255.255.255.0 192.168.85.1 192.168.85.19 1
10.1.153.0 255.255.255.0 192.168.85.1 192.168.85.19 1
12.106.67.4 255.255.255.255 192.168.85.12 192.168.85.19 1
38.15.67.68 255.255.255.255 192.168.85.12 192.168.85.19 1
38.144.72.17 255.255.255.255 192.168.85.12 192.168.85.19 1
38.144.72.18 255.255.255.255 192.168.85.12 192.168.85.19 1
38.144.72.19 255.255.255.255 192.168.85.12 192.168.85.19 1
38.144.72.20 255.255.255.255 192.168.85.12 192.168.85.19 1
63.150.154.197 255.255.255.255 192.168.85.12 192.168.85.19 1
63.214.53.25 255.255.255.255 192.168.85.12 192.168.85.19 1
63.214.53.33 255.255.255.255 192.168.85.12 192.168.85.19 1
63.240.15.160 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.39.57 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.54.249 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.137.56 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.148.241 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.151.141 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.151.176 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.160.185 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.174.121 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.174.185 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.174.249 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.180.148 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.184.141 255.255.255.255 192.168.85.12 192.168.85.19 1
64.12.188.121 255.255.255.255 192.168.85.12 192.168.85.19 1
64.14.143.201 255.255.255.255 192.168.85.12 192.168.85.19 1
64.70.10.80 255.255.255.255 192.168.85.12 192.168.85.19 1
64.70.54.50 255.255.255.255 192.168.85.12 192.168.85.19 1
64.124.29.68 255.255.255.255 192.168.85.12 192.168.85.19 1
64.124.45.219 255.255.255.255 192.168.85.12 192.168.85.19 1
64.147.130.56 255.255.255.255 192.168.85.12 192.168.85.19 1
64.147.131.135 255.255.255.255 192.168.85.12 192.168.85.19 1
64.152.73.143 255.255.255.255 192.168.85.12 192.168.85.19 1
64.152.73.147 255.255.255.255 192.168.85.12 192.168.85.19 1
64.152.73.207 255.255.255.255 192.168.85.12 192.168.85.19 1
64.158.223.128 255.255.255.255 192.168.85.12 192.168.85.19 1
64.202.108.1 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.16.84 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.16.136 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.16.137 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.16.138 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.16.242 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.24.138 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.24.139 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.40.32 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.40.38 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.40.64 255.255.255.255 192.168.85.12 192.168.85.19 1
64.236.40.70 255.255.255.255 192.168.85.12 192.168.85.19 1
65.54.192.248 255.255.255.255 192.168.85.12 192.168.85.19 1
65.54.208.222 255.255.255.255 192.168.85.12 192.168.85.19 1
65.126.5.4 255.255.255.255 192.168.85.12 192.168.85.19 1
65.242.124.135 255.255.255.255 192.168.85.12 192.168.85.19 1
65.242.124.145 255.255.255.255 192.168.85.12 192.168.85.19 1
66.28.222.103 255.255.255.255 192.168.85.12 192.168.85.19 1
66.35.229.142 255.255.255.255 192.168.85.12 192.168.85.19 1
66.35.229.178 255.255.255.255 192.168.85.12 192.168.85.19 1
66.35.229.213 255.255.255.255 192.168.85.12 192.168.85.19 1
66.35.229.239 255.255.255.255 192.168.85.12 192.168.85.19 1
66.163.171.166 255.255.255.255 192.168.85.12 192.168.85.19 1
66.218.71.109 255.255.255.255 192.168.85.12 192.168.85.19 1
66.232.154.29 255.255.255.255 192.168.85.12 192.168.85.19 1
68.162.250.224 255.255.255.255 192.168.85.12 192.168.85.19 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
128.121.26.136 255.255.255.255 192.168.85.12 192.168.85.19 1
149.174.130.88 255.255.255.255 192.168.85.12 192.168.85.19 1
149.174.130.216 255.255.255.255 192.168.85.12 192.168.85.19 1
151.193.204.16 255.255.255.255 192.168.85.12 192.168.85.19 1
152.163.208.121 255.255.255.255 192.168.85.12 192.168.85.19 1
152.163.208.249 255.255.255.255 192.168.85.12 192.168.85.19 1
159.53.216.46 255.255.255.255 192.168.85.12 192.168.85.19 1
164.109.92.167 255.255.255.255 192.168.85.12 192.168.85.19 1
166.90.148.215 255.255.255.255 192.168.85.12 192.168.85.19 1
166.90.148.232 255.255.255.255 192.168.85.12 192.168.85.19 1
168.143.178.161 255.255.255.255 192.168.85.12 192.168.85.19 1
192.168.85.0 255.255.255.0 192.168.85.19 192.168.85.19 1
192.168.85.19 255.255.255.255 127.0.0.1 127.0.0.1 1
192.168.85.255 255.255.255.255 192.168.85.19 192.168.85.19 1
204.245.113.244 255.255.255.255 192.168.85.12 192.168.85.19 1
205.180.85.140 255.255.255.255 192.168.85.12 192.168.85.19 1
205.188.139.152 255.255.255.255 192.168.85.12 192.168.85.19 1
205.188.145.184 255.255.255.255 192.168.85.12 192.168.85.19 1
205.188.145.185 255.255.255.255 192.168.85.12 192.168.85.19 1
205.188.145.214 255.255.255.255 192.168.85.12 192.168.85.19 1
205.188.145.217 255.255.255.255 192.168.85.12 192.168.85.19 1
205.188.165.185 255.255.255.255 192.168.85.12 192.168.85.19 1
205.188.165.249 255.255.255.255 192.168.85.12 192.168.85.19 1
205.188.220.181 255.255.255.255 192.168.85.12 192.168.85.19 1
205.188.238.110 255.255.255.255 192.168.85.12 192.168.85.19 1
205.188.247.121 255.255.255.255 192.168.85.12 192.168.85.19 1
206.24.190.94 255.255.255.255 192.168.85.12 192.168.85.19 1
206.151.167.254 255.255.255.255 192.168.85.12 192.168.85.19 1
206.157.193.68 255.255.255.255 192.168.85.12 192.168.85.19 1
206.157.193.71 255.255.255.255 192.168.85.12 192.168.85.19 1
207.46.196.108 255.255.255.255 192.168.85.12 192.168.85.19 1
207.46.196.120 255.255.255.255 192.168.85.12 192.168.85.19 1
207.68.171.232 255.255.255.255 192.168.85.12 192.168.85.19 1
207.68.171.244 255.255.255.255 192.168.85.12 192.168.85.19 1
207.68.176.190 255.255.255.255 192.168.85.12 192.168.85.19 1
207.68.177.59 255.255.255.255 192.168.85.12 192.168.85.19 1
207.68.177.62 255.255.255.255 192.168.85.12 192.168.85.19 1
207.188.7.117 255.255.255.255 192.168.85.12 192.168.85.19 1
207.188.7.175 255.255.255.255 192.168.85.12 192.168.85.19 1
208.185.54.52 255.255.255.255 192.168.85.12 192.168.85.19 1
208.254.0.7 255.255.255.255 192.168.85.12 192.168.85.19 1
208.254.0.8 255.255.255.255 192.168.85.12 192.168.85.19 1
208.254.0.15 255.255.255.255 192.168.85.12 192.168.85.19 1
208.254.0.38 255.255.255.255 192.168.85.12 192.168.85.19 1
208.254.0.89 255.255.255.255 192.168.85.12 192.168.85.19 1
208.254.63.58 255.255.255.255 192.168.85.12 192.168.85.19 1
208.254.63.60 255.255.255.255 192.168.85.12 192.168.85.19 1
209.51.177.7 255.255.255.255 192.168.85.12 192.168.85.19 1
209.51.177.8 255.255.255.255 192.168.85.12 192.168.85.19 1
209.51.177.9 255.255.255.255 192.168.85.12 192.168.85.19 1
209.51.177.17 255.255.255.255 192.168.85.12 192.168.85.19 1
209.51.177.24 255.255.255.255 192.168.85.12 192.168.85.19 1
209.51.177.32 255.255.255.255 192.168.85.12 192.168.85.19 1
209.225.0.6 255.255.255.255 192.168.85.12 192.168.85.19 1
209.246.122.148 255.255.255.255 192.168.85.12 192.168.85.19 1
209.246.122.149 255.255.255.255 192.168.85.12 192.168.85.19 1
216.73.87.13 255.255.255.255 192.168.85.12 192.168.85.19 1
216.73.87.82 255.255.255.255 192.168.85.12 192.168.85.19 1
216.74.132.12 255.255.255.255 192.168.85.12 192.168.85.19 1
216.87.85.105 255.255.255.255 192.168.85.12 192.168.85.19 1
216.109.118.67 255.255.255.255 192.168.85.12 192.168.85.19 1
216.109.118.77 255.255.255.255 192.168.85.12 192.168.85.19 1
216.109.127.16 255.255.255.255 192.168.85.12 192.168.85.19 1
216.109.127.17 255.255.255.255 192.168.85.12 192.168.85.19 1
216.109.127.60 255.255.255.255 192.168.85.12 192.168.85.19 1
216.120.60.144 255.255.255.255 192.168.85.12 192.168.85.19 1
216.136.174.87 255.255.255.255 192.168.85.12 192.168.85.19 1
216.203.32.78 255.255.255.255 192.168.85.12 192.168.85.19 1
216.239.37.99 255.255.255.255 192.168.85.12 192.168.85.19 1
216.242.235.108 255.255.255.255 192.168.85.12 192.168.85.19 1
224.0.0.0 224.0.0.0 192.168.85.19 192.168.85.19 1
255.255.255.255 255.255.255.255 192.168.85.19 192.168.85.19 1
Default Gateway: 192.168.85.1
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
10.1.101.0 255.255.255.0 192.168.85.1 1
10.1.104.0 255.255.255.0 192.168.85.1 1
10.1.105.0 255.255.255.0 192.168.85.1 1
10.1.106.0 255.255.255.0 192.168.85.1 1
10.1.108.0 255.255.255.0 192.168.85.1 1
10.1.110.0 255.255.255.0 192.168.85.1 1
10.1.124.0 255.255.255.0 192.168.85.1 1
10.1.150.0 255.255.255.0 192.168.85.1 1
10.1.153.0 255.255.255.0 192.168.85.1 1

U:\>

192.168.85.19 = ISA Server IP
192.168.85.12 = Checkpoint Internal NIC
192.168.85.1 = Corporate Router

IPConfig

U:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : ISA
Primary DNS Suffix . . . . . . . : xyz.com
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xyz.com

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Advanced Network Services V
irtual Adapter
Physical Address. . . . . . . . . : 00-00-00-xy-z0 (changed for security)
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.85.19 (Load Balanced NIC's)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.85.1 (Corporate Router)
DNS Servers . . . . . . . . . . . : Internal and External

I hope this helps.

chicagoan

You have two default routes,

0.0.0.0 0.0.0.0 192.168.85.1 192.168.85.19 1
0.0.0.0 0.0.0.0 192.168.85.12 192.168.85.19 1

Any idea how the 192.168.85.12 gateway address got there?
You have persistent routes for your 10.x.x.x network (why?) so I assume you have run a ROUTE /P command at some point or there's one in the startup.

With two gateways of last resort if a site is temporarily unreachable the second will be tried and that route will persist.

slaroche

ASKER

The gateway 192.168.85.12 was added this morning in an effort to prevent more static routes from being added into the routing table. This was done because so many static routes had been added pointing to that address. I could take it out and it would make no difference in accessability.

10.x.x.x are our remote sites. I added them in with a -p, but they too are not neccessary. I could remove them, and traffic would flow fine. These are just my attempts to straighten out the ISA server's routing issues.

I guess the question is..why would the static route be added for the 192.168.85.12 address, when it can get there just as easily going through 192.168.85.1 (default gateway)?

chicagoan

As this machine is not using DHCP, there should be no router discovery by default - unless the ISA server's Web Proxy Auto Discovery Protocol is doing this, see if that's enabled.

As far as router discovery in the Operating System
check the following key in the registry:
HKEY_LOCAL_Machine\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<interface_name for your ehternet interface (#3)>

Check for the following registry value:
Value Name: PerformRouterDiscovery
Data Type:REG_DWORD
Valid Range: 0,1
Default: 0
Description: This parameter controls whether Windows 2000 will attempt to perform router discovery per RFC 1256 on a per-interface basis. This parameter defaults to 0 or FALSE.
The persistent router to 10.x.x.x are superfluous if there is only one default gateway and no RDP

slaroche

ASKER

WPAD is enabled on port 80. We have a device listed in our DHCP server for this ISA server.

I could not find performrouterdiscovery in the registry at the location you indicated. I also ran a search for it, and found nothing. The Value: UseZeroBroadcast is set to 0. That was the closest thing I could find to what you are referring to.

I agree that we do not need the 10.x.x.x routes. I only added them as a precautionary measure.

chicagoan

> We have a device listed in our DHCP server for this ISA server.
I assume this is to exclude this address from you DCHP pool and document it, as the machine is not actually using DHCP this should not be the issue.

>WPAD is enabled on port 80.
I'm not sure what effect disabling this will have on your setup, I'd hate to set off some domino effect on downstream settings.
gee... I can't connect to http://www.midi1.com/ - it has a dns entry of 195.115.154.230 but dies at ASN 8228
If WPAD incorporates router discovery ( I haven't verified that) and request went out to contact something temporarily unreachable, the discovered route would be attempted and end up in your routing table.

If you want all your outbound traffic from the ISA server to go directly through the router, you can strongarm ir by disallowing traffic from .19 on the checkpoint.

>The new routes in the ISA server point to the internal NIC of our Checkpoint firewall (as opposed to the default route of the corporate router).
So you're trying to use the ISA server as an outbound proxy without going through the checkpoint... meaning you have a backdoor unfettered route to your border router?

I can see the idea of using the ISA server vs the checkpoint as it might be easier to configure for certain things or have some different capabilities but I'd be interested in seeing how you set that up to eliminate bypass traffic and source routing scams.

slaroche

ASKER

>I assume this is to exclude this address from you DCHP pool and document it, as the machine is not actually using DHCP this should not be the issue.
Under server options in DHCP, we have option 252 WPAD selected and we have the ISA server as the value.

>If WPAD incorporates router discovery ( I haven't verified that) and request went out to contact something temporarily unreachable, the discovered route would be attempted and end up in your routing table.
I'm pretty sure WPAD does not incorporate router discovery. It is a default setting used to broadcast it's availability to client computers set to automatically detect proxy settings.

>So you're trying to use the ISA server as an outbound proxy without going through the checkpoint... meaning you have a backdoor unfettered route to your border router?
Sort of. We are using it as a filter and a web caching server. It is not directly connected to the internet, nor is the corporate router. The corporate router has all of the WAN connections and all of the necessary routes to move IP traffic. The routers gateway of last resort is the Checkpoint intnernal NIC. So all internet traffic does pass through the checkpoint firewall. I'm wondering why these new routes are bypassing the default route which is our corporate router and just going right out to the firewall. It's like the server is using OSPF to bypass the router for the shorter route to the firewall. Weird.

chicagoan

so you have:

to corporate lan <-----------------------------><router><-------><firewall><----->to internet
^-----><ISA Server><----^

?
I don't see how the inside interface of the router and the inside interface of the firewall can be on the same subnet.

slaroche

ASKER

Here's my best explanation without creating seriously intricate .txt drawing.

Corporate Router = 192.168.85.1
- Default Gateway for all nodes.
- Gateway of Last resort is 192.168.85.12 (Checkpoint Internal NIC)
- Static Routes in place for all Remote Sites
Checkpoint Firewall = 2 NICs
-Internal: 192.168.85.12 (same subnet at Corp. Router Ethernet Interface)
-External: 65.xxx.22.xxx - Valid Internet IP (Points to T1 Router connected to internet)
-Also has static routes in place for all remote sites - (routes remote traffic through 192.168.85.1)
-All dhcp clients are explicitly denied access to the internet (forces client to use proxy server)
ISA Server = 192.168.85.19 - Default Gateway is 192.168.85.1
Client machines = DHCP Clients
-Proxy settings are built into login scripts. Proxy is enabled in Browser.
-All IP web traffic is directed to ISA server.

Maybe I should give more points for this one. Thought it was just some setting we had incorrect. Maybe it's more complicated that I had originally anticipated. Thanks for helping with this one.

chicagoan

You only give one IP for your "corporate router".
Are you doing bankshot routing off of one interface?

slaroche

ASKER

Bankshot routing? I'm not clear on that term. This is a WAN router. It has no connectivity with the public internet. It uses a Privately Routed VPN Architecture through a large Comm company. That's how it communicates with the remote sites. The E0/0 interface is just 192.168.85.1/24.

slaroche

ASKER

I'm going to post this response as a new issue, but we've noticed that some of our servers and XP/2000 machines are haveing their routing tables populated by extraneous ip addresses. The interesting thing about this is that it's only the machines that are not going through ISA server. These machines are being routed directly through the Checkpoint Firewall.

chicagoan

If both the firewall and the router have interfaces on the same subnet, you have two routes, one of which circumvents your firewall. If any sort of router discovery protocol is running it will be discovered. If anyone with a litle knowledge can set their default gateway to avoid the firewall. As the source address is not the NAT address of the firewall, the traffic can come right back to them and you esentially have no firewall. This would also allow a port scan of the inside network.

If you want all your traffic to go through the firewall, the usual thing would be to make it's inside interface the default gateway on the lan and use a different subnet on it's outside interface and the router's inside interface.

LAN<192.168.85.0>---<192.168.85.1 FIREWALL 192.168.86.1>---<192.168.86.2 ROUTER (wan addresses)>

Sometimes you run into situations that your firewall can't handle (or the firewall administrator can't figure out) and create a 'back door' route around the firewall, but that circuit should be carefully controlled with access lists to prevent unwanted traffic.

slaroche

ASKER

We've got two routers and one checkpoint firewall:

LAN: <192.168.85.0>---<192.168.85.1 Corp Router>---<192.168.85.22 FIREWALL 68.50.xxx.x2>---<68.50.xxx.x1 Internet Router>

The corp router also handles all of our Private WAN traffic to our remote sites over Frame-Relay.

ASKER CERTIFIED SOLUTION

chicagoan

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial