Solved

Windows XP client dynamic routing

Posted on 2004-09-01
8
845 Views
Last Modified: 2013-12-19
There's a bit of explaination required before I get to the question, so please be patient...

I have a customer who has a LAN with Small Business Server 2000 on it and a hardware firewall, also attached to the LAN. The SBS server runs DHCP and gives IP config info to the clients. The SBS IP ends in .203, the hardware firewall in .254. The default gateway on the SBS is is the hardware firewall but DHCP assigns the default gateway of .203 to the clients. Which mans that the route that a client uses to access the Internet is via the SBS and then it routes out via the firewall.

This client has managed to catch on one or more of his internal client PCs a mass mailing virus/worm (oops). One of the advised procdures when dealing with this sort of infection is to restrict outgoing access to port 25 (SMTP) only to mail known mail servers. Easy enough, I modified ISA server to restrict the protocol to the single internal mail server (the SBS server itself, surprise, surprise). I then tested this restriction using telnet on port 25 to a known external SMTP server.

No problems with the mail server, so I tried it from a client. Here is where the curious thing happened...

The client was still  able to connect on port 25. I checked the routing on the client thinking that it must be using .254 as a default but it is not. It had, however, added a specific route to the IP of the external mailserver. Time for another test...

This time, I checked the routing before and after the telnet and the client is definately adding routes. To the best of my knowledge, there is no dynamic routing going on on this network. The hardware firewall doesn't do it and the SBS does not have RIP in Routing and Remote Access.

My theory is that the client is being "told" by ISA server that it cannot route to the mail server and is then finding another way. I don't know how or why, tho'.

I know that an obvious answer to my problem is to restrict port 25 on the hardware firewall as well, however I want to know why the XP client is doing what it is doing so that I am aware of it should a similar situation arise.

Thanks in advance.

Jamie
0
Comment
Question by:jqlr
  • 4
  • 4
8 Comments
 
LVL 15

Expert Comment

by:scampgb
ID: 11951228
Hi jqlr,

It does sound like the client is "learning" about the other gateway somehow.
Do "route print" on the client, that'll show you the routing table.

However, for ISA server to run in firewall mode it will need an "inside" and "outside" interface.  In the environment that you've got, you should have something like:

Internet ---- Firewall ---- ISA server ----- Client PCs

This means that the client PCs cannot communicate directly with the firewall and must always use the ISA server as their gateway.

Does that help?
0
 

Author Comment

by:jqlr
ID: 11951757
Thanks for the thoughts scampgb.

My understanding was that the ISA server would act as a gateway even tho' its route to the Internet was actually another IP on the same network. This would have its "inside" as clients that have its IP as their default gateway and its "outside" as where it sent the requests.

The firewall has to be on the LAN as it was put in to allow us to use an IPSEC VPN to support the entire network. Windows VPN and routing (even excluding the security implications of having te SBS as the firewall) is a bit too flakey to provide this on a reliable, permanent basis. I accept that your

Internet ---- Firewall ---- ISA server ----- Client PCs

is the ideal solution but this gives us problems in that we'd terminate our VPN on the firewall (which we do at present) but then have to route through the SBS.

I didn't make it clear in my question but "route print" (or "netstat -r") for the old unix user in me does show a new direct route via the hardware firewall.

Cheers

Jamie
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11963241
Hmm - OK.  I think there's a bit of a problem here that the user PCs can use the firewall as the gateway, and they're not forced to go via the ISA server

Delete the default route and put in the correct one:
ROUTE DELETE 0.0.0.0
ROUTE ADD 0.0.0.0 MASK 255.255.255.0  x.x.x.203

Reconfigure the firewall to only allow SMTP traffic to/from the ISA server.

That's about all I can think of in this setup I'm afraid.
0
 

Author Comment

by:jqlr
ID: 11963318
Yeah, I thought about specifying the default route but I don't know if this would stop the dynamic one appearing.

I reconfigured the hardware firewall to do this anyway but I am more concerned with the fact that Windows is "learning" routes without having something feeding it.

Thanks for your help anyway.
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 
LVL 15

Accepted Solution

by:
scampgb earned 500 total points
ID: 11963394
It's likely that the server will be issuing an ICMP redirect, and the PC will be learning the new route from that.

As both the server and the firewall are on the same subnet, and the firewall is the default route for the server, this would make sense.

You could use a network analyser to check it out properly.
0
 

Author Comment

by:jqlr
ID: 11963469
I think you have it. http://support.microsoft.com/default.aspx?scid=kb;en-us;q195686 explains the behaviour. Now all I need to do is find out if I can disable the SBS sending redirects.

Many thanks.
0
 

Author Comment

by:jqlr
ID: 11963539
Its not quite the right article but http://support.microsoft.com/default.aspx?scid=kb;en-us;293626 explains how to disable ICMP redirects with W2K.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11963604
Knew we'd get there in the end :-)

I'm a little surprised that a machine with ISA would still produce ICMP redirects.  I s'pose it is internal though, and makes sense from a network topology point of view.

This is the kind of thing that happens when networks try to be intelligent :-)

Thanks for the "A".  Glad I could help.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now