There's a bit of explaination required before I get to the question, so please be patient...
I have a customer who has a LAN with Small Business Server 2000 on it and a hardware firewall, also attached to the LAN. The SBS server runs DHCP and gives IP config info to the clients. The SBS IP ends in .203, the hardware firewall in .254. The default gateway on the SBS is is the hardware firewall but DHCP assigns the default gateway of .203 to the clients. Which mans that the route that a client uses to access the Internet is via the SBS and then it routes out via the firewall.
This client has managed to catch on one or more of his internal client PCs a mass mailing virus/worm (oops). One of the advised procdures when dealing with this sort of infection is to restrict outgoing access to port 25 (SMTP) only to mail known mail servers. Easy enough, I modified ISA server to restrict the protocol to the single internal mail server (the SBS server itself, surprise, surprise). I then tested this restriction using telnet on port 25 to a known external SMTP server.
No problems with the mail server, so I tried it from a client. Here is where the curious thing happened...
The client was still able to connect on port 25. I checked the routing on the client thinking that it must be using .254 as a default but it is not. It had, however, added a specific route to the IP of the external mailserver. Time for another test...
This time, I checked the routing before and after the telnet and the client is definately adding routes. To the best of my knowledge, there is no dynamic routing going on on this network. The hardware firewall doesn't do it and the SBS does not have RIP in Routing and Remote Access.
My theory is that the client is being "told" by ISA server that it cannot route to the mail server and is then finding another way. I don't know how or why, tho'.
I know that an obvious answer to my problem is to restrict port 25 on the hardware firewall as well, however I want to know why the XP client is doing what it is doing so that I am aware of it should a similar situation arise.
Thanks in advance.