SecureNAT and firewall clients are disconnected from the network

If you are using a Secure Network Address Translation (SecureNAT) client computer or a Firewall client computer with Internet Security and Acceleration (ISA) Server, you may be disconnected from the network. When this behavior occurs, no error messages are logged on the ISA Server computer; however, various network error messages may be logged on the clients depending on the program that you are using.

This behavior can occur because ISA Server limits each client to forty SecureNAT mappings, by default. If there are more than forty simultaneous connections from one client, when the forty-first connection is requested from the same client, ISA Server sends a TCP Reset frame to the oldest connection, and then the new connection is successfully established.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To resolve this behavior, increase the registry value that controls the number of connections that ISA Server allows for each client:

1. Start Registry Editor (Regedt32.exe).
2. Locate and click the following registry key:
   HKEY_LOCAL_MACHINE\Software\Microsoft\FPC\Arrays\GUID\ArrayPolicy\Proxy-WSP\msFPCConnectionQuota
3. Click DWORD on the Edit menu, type a new value, and then click OK.
   
   NOTE: The new value depends on your environment. The default is 40 decimal. A new value of 100 decimal is safe in most cases. To determine a specific value, analyze the maximum number of simultaneous sessions that you need. The maximum allowable value is based on available system resources.
4. Quit Registry Editor.

If you install ISA Server Enterprise Edition in an array, the setting that controls the number of connections that ISA Server allows for each client is stored in the Active Directory directory service, rather than in the registry. In this case, you must use a tool like the Active Directory Service Interfaces (ADSI) Edit tool to set this value. To do this, use the following steps.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

1. Click Start, click Run, type adsiedit.msc, and then click OK.
2. Locate and modify the following object in Active Directory:
   DomainNC,DC=domain_name,DC=com,CN=System,CN=FPC,CN=Arrays,CN=GUID,CN=ArrayPolicy,CN=Proxy-WSP
3. Right-click the CN=Proxy-WSP object, and then select Properties.
4. Select Both from the Select which properties to view menu.
5. Select msFPCConnectionQuota from the Select a property to view menu.
6. Click the Clear button.
7. Change the value from 40 to 100, and then click OK.
8. Close the ADSI Edit tool.

Note The ADSI Edit snap-in (AdsiEdit.msc) is included with the Microsoft Windows Support Tools. To install the Windows Support Tools in Windows 2000, double-click Setup.exe in the Support\Tools folder on the Windows 2000 CD. To install the Windows Support Tools in Windows Server 2003, double-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD.

This behavior occurs on SecureNAT clients and Firewall clients but it does not occur on Web Proxy clients. This behavior is particularly noticeable if you use a perimeter network (also known as DMZ, demilitarized zone, and screened subnet) with back-to-back ISA Server computers.

If you are running your ISA Server computers back-to-back to create a perimeter network, you are more likely to experience this behavior. The internal ISA Server computer translates all of the internal clients using Network Address Translation (NAT) protocol. The frames are sent to the external ISA Server computer, which uses NAT protocol to translate all of the internal clients again. To the external ISA Server computer, all of the connections look like one client (they use the perimeter network Internet Protocol (IP) address of the internal ISA Server computer). Therefore, forty internal clients look like one client that has forty different connections to the external ISA Server computer.

Network Monitor Trace

When you do a network trace, you see the external ISA Server computer send a TCP\IP Reset frame in both directions on the connection. One frame is sent back to the client (or the internal ISA Server computer if you are using a perimeter network), and the other is sent to the Internet server.