Solved

Windows XP client dynamic routing

Posted on 2004-09-01
8
858 Views
Last Modified: 2013-12-19
There's a bit of explaination required before I get to the question, so please be patient...

I have a customer who has a LAN with Small Business Server 2000 on it and a hardware firewall, also attached to the LAN. The SBS server runs DHCP and gives IP config info to the clients. The SBS IP ends in .203, the hardware firewall in .254. The default gateway on the SBS is is the hardware firewall but DHCP assigns the default gateway of .203 to the clients. Which mans that the route that a client uses to access the Internet is via the SBS and then it routes out via the firewall.

This client has managed to catch on one or more of his internal client PCs a mass mailing virus/worm (oops). One of the advised procdures when dealing with this sort of infection is to restrict outgoing access to port 25 (SMTP) only to mail known mail servers. Easy enough, I modified ISA server to restrict the protocol to the single internal mail server (the SBS server itself, surprise, surprise). I then tested this restriction using telnet on port 25 to a known external SMTP server.

No problems with the mail server, so I tried it from a client. Here is where the curious thing happened...

The client was still  able to connect on port 25. I checked the routing on the client thinking that it must be using .254 as a default but it is not. It had, however, added a specific route to the IP of the external mailserver. Time for another test...

This time, I checked the routing before and after the telnet and the client is definately adding routes. To the best of my knowledge, there is no dynamic routing going on on this network. The hardware firewall doesn't do it and the SBS does not have RIP in Routing and Remote Access.

My theory is that the client is being "told" by ISA server that it cannot route to the mail server and is then finding another way. I don't know how or why, tho'.

I know that an obvious answer to my problem is to restrict port 25 on the hardware firewall as well, however I want to know why the XP client is doing what it is doing so that I am aware of it should a similar situation arise.

Thanks in advance.

Jamie
0
Comment
Question by:jqlr
  • 4
  • 4
8 Comments
 
LVL 15

Expert Comment

by:scampgb
ID: 11951228
Hi jqlr,

It does sound like the client is "learning" about the other gateway somehow.
Do "route print" on the client, that'll show you the routing table.

However, for ISA server to run in firewall mode it will need an "inside" and "outside" interface.  In the environment that you've got, you should have something like:

Internet ---- Firewall ---- ISA server ----- Client PCs

This means that the client PCs cannot communicate directly with the firewall and must always use the ISA server as their gateway.

Does that help?
0
 

Author Comment

by:jqlr
ID: 11951757
Thanks for the thoughts scampgb.

My understanding was that the ISA server would act as a gateway even tho' its route to the Internet was actually another IP on the same network. This would have its "inside" as clients that have its IP as their default gateway and its "outside" as where it sent the requests.

The firewall has to be on the LAN as it was put in to allow us to use an IPSEC VPN to support the entire network. Windows VPN and routing (even excluding the security implications of having te SBS as the firewall) is a bit too flakey to provide this on a reliable, permanent basis. I accept that your

Internet ---- Firewall ---- ISA server ----- Client PCs

is the ideal solution but this gives us problems in that we'd terminate our VPN on the firewall (which we do at present) but then have to route through the SBS.

I didn't make it clear in my question but "route print" (or "netstat -r") for the old unix user in me does show a new direct route via the hardware firewall.

Cheers

Jamie
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11963241
Hmm - OK.  I think there's a bit of a problem here that the user PCs can use the firewall as the gateway, and they're not forced to go via the ISA server

Delete the default route and put in the correct one:
ROUTE DELETE 0.0.0.0
ROUTE ADD 0.0.0.0 MASK 255.255.255.0  x.x.x.203

Reconfigure the firewall to only allow SMTP traffic to/from the ISA server.

That's about all I can think of in this setup I'm afraid.
0
 

Author Comment

by:jqlr
ID: 11963318
Yeah, I thought about specifying the default route but I don't know if this would stop the dynamic one appearing.

I reconfigured the hardware firewall to do this anyway but I am more concerned with the fact that Windows is "learning" routes without having something feeding it.

Thanks for your help anyway.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 15

Accepted Solution

by:
scampgb earned 500 total points
ID: 11963394
It's likely that the server will be issuing an ICMP redirect, and the PC will be learning the new route from that.

As both the server and the firewall are on the same subnet, and the firewall is the default route for the server, this would make sense.

You could use a network analyser to check it out properly.
0
 

Author Comment

by:jqlr
ID: 11963469
I think you have it. http://support.microsoft.com/default.aspx?scid=kb;en-us;q195686 explains the behaviour. Now all I need to do is find out if I can disable the SBS sending redirects.

Many thanks.
0
 

Author Comment

by:jqlr
ID: 11963539
Its not quite the right article but http://support.microsoft.com/default.aspx?scid=kb;en-us;293626 explains how to disable ICMP redirects with W2K.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 11963604
Knew we'd get there in the end :-)

I'm a little surprised that a machine with ISA would still produce ICMP redirects.  I s'pose it is internal though, and makes sense from a network topology point of view.

This is the kind of thing that happens when networks try to be intelligent :-)

Thanks for the "A".  Glad I could help.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now