Allowing Outbound PING and PPTP Connections.

By /

So you’ve downloaded ISA Server and installed the monster. You read the Getting Started Guide (http://www.isaserver.org/shinder/tips/getting_started.htm)and did everything I told you to do. Now, you want to do a quick test of network connectivity. What do we all usually do to test connectivity? You guessed it: PING.

Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder


Amazon.com



You open a command prompt and type ping www.domain.com and you see something like what appears below:

What’s going on here? In this example, I pinged the server using a FQDN and the correct IP address was returned. So we know that DNS host name resolution is working properly. But what is causing the Destination Host Unreachable message?

The problem is that the Getting Started Guide left out one key piece of advice: you should enable IP Routing on the ISA Server. In order to allow non-TCP/UDP based protocols through the ISA Server, IP Routing must be enabled. In addition, the machine must be set up as a SecureNAT client.

Once IP Routing is enabled, you will be able to use the PING, TRACERT and PATHPING tools included with Windows 2000. In addition, you will be able to make outbound PPTP calls. Without flipping this switch, all your attempts to use these features will fail.

The reason why the “all open” Protocol Rule doesn’t allow PING, TRACERT and PATHPING to work is that Protocol Rules only support TCP and UDP based protocols. If you look at the Protocol Definitions used to create Protocol Rules, you’ll see that you can only create Definitions for UDP and TCP based protocols.

PING, TRACERT and PATHPING all use ICMP. PPTP uses the Generic Routing Encapsulation Protocol (GRE or IP Protocol 47). Since these are not TCP or UDP based protocols, the “all open” Protocol Rule does not work.

Another thing that is very important to remember is that only SecureNAT clients to use non-TCP/UDP protocols. If you client is configure only as a Firewall and/or Web Proxy client, you will not be able to PING, TRACERT or GRE thought the ISA Server.

To enable IP Routing, perform the following steps:

  1. Open the ISA Management console. Expand Servers and Arrays. Expand you server name and then expand the Access Policy Node.

  1. Right click on IP Packet Filters and click Properties.
  2. On the General tab, place a checkmark in the checkbox for Enable Packet Filtering and place a checkmark in the checkbox for Enable IP routing. Click Apply and then click OK. Restart the Service either manually or let the ISA Server do it for you.

Note: if the server is a member of an Enterprise Array, the Enterprise Policy may have already forced Packet Filtering on the Array. In this case, you just need to enable IP Routing.

We hope you found this tip helpful. If you have questions on this tip, please post a message to the message boards here at www.isaserver.org. You can also write to me at [email protected]. Please put the name of the article in the subject line and I’ll get back to you as soon as possible. – Tom.

About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top