ISA Firewall SP2 Breaks Direct Access and How to Fix It
I noticed early on when beta testing the ISA 2004 Service Pack 2 that something was amiss. The first hint came when I tried to access my Hotmail account from Outlook 2003. I was asked to authenticate to the ISA firewall, which should not have been the case since the Hotmail and related sites were configured for Direct Access. Later I confirmed that Direct Access was indeed broken by trying to access Hotmail from Outlook Express and confirmed, using the ISA firewall’s log files that sites configured for Direct Access where still be handled by the ISA firewall’s Web proxy filter.
What’s the problem? A subtle change in the ISA firewall’s approach to handling the Direct Access list. Checkout out the KB article:
Changes that are made to the Cache Array Routing Protocol (CARP) in ISA Server
2004 Service Pack 2 at http://support.microsoft.com/default.aspx/kb/903746
From what I’m told, these changes were made to support a somewhat obscure and unusual branch office configuration but for the rest of us, it has the potential to create severe problems if you’re not aware of the fix.
What’s the solution? You must remove all IP addresses from your Direct Access list. You must included only names in the Direct Access list. If you mix names and IP addresses in the Direct Access list, then you will won’t be able to bypass the Web proxy filter for any site.
The figure below shows some of my own Direct Access list:
After you remove the IP addresses from your Direct Access list, you will have to obtain the latest version of the autoconfiguration script. Close all browser windows, remove the Web proxy client configuration, open the browser, then close the browser and re-enable the Web proxy client configuration (either autoconfiguration script or Auto-detect). If you don’t want to go through all that, then you can just wait for the autoconfig script TTL to time out, which is about 50 minutes.
Thomas W Shinder, M.D.
MVP -- ISA Firewalls