Consider the following scenario. A downstream server is running Microsoft Internet Security and Acceleration (ISA) Server 2004. This downstream server is chained to a third-party upstream server through Web-chaining configuration. In this scenario, ISA Server does not reuse the TCP connections that have been created to the upstream server. Instead, ISA Server closes each TCP connection after an HTTP response is received.
When the network is under a heavy load, this behavior may cause ISA Server to exhaust all available TCP ports.
Back to the top
Some third-party proxy servers send an HTTP response that includes both of the following headers:
| • | Content-Length |
| • | Transfer-Encoding: Chunked |
According to section 4.4 of the RFC 2616 specifications, these two headers are mutually exclusive, and they must not be used together. This HTTP response indicates a potential HTTP smuggling attack. Therefore, ISA Server processes the response by ignoring the Content-Length header. Then, ISA Server closes the TCP connection to avoid the potential attack.
Back to the top
Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.
Warning After you follow the steps in this section, ISA Server 2004 will not close the TCP connections, even if both the Content-Length header and the "Transfer-Encoding: Chunked" header are present in the HTTP response. This resolution reduces the protection that is provided by ISA Server. Therefore, we do not recommend that you apply this change unless the upstream server provides protection against HTTP smuggling attacks.
To change the default ISA behavior, follow these steps:
| 1. | Install ISA Server 2004 Service Pack 3. For more information about how to obtain the latest service pack for ISA Server 2004, visit the following Microsoft TechNet Web site: |
| 2. | Start Notepad. |
| 3. | Copy the following code, and then paste it into Notepad:''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script sets whether ISA will keep connections open after it receives an HTTP
' response that contains both a Content-Length header and a Transfer-Encoding: Chunked header.
'
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_NAME = "EnableKb934022"
Const SE_VPS_VALUE = true
Sub SetValue()
' Create the root object.
Dim root ' The FPCLib.FPC root object
Set root = CreateObject("FPC.Root")
'Declare the other objects needed.
Dim array ' An FPCArray object
Dim VendorSets ' An FPCVendorParametersSets collection
Dim VendorSet ' An FPCVendorParametersSet object
' Get references to the array object
' and to the network rules collection.
Set array = root.GetContainingArray
Set VendorSets = array.VendorParametersSets
On Error Resume Next
Set VendorSet = VendorSets.Item( SE_VPS_GUID )
If Err.Number <> 0 Then
Err.Clear
' Add the item.
Set VendorSet = VendorSets.Add( SE_VPS_GUID )
CheckError
WScript.Echo "New VendorSet added... " & VendorSet.Name
Else
WScript.Echo "Existing VendorSet found... value- " & VendorSet.Value(SE_VPS_NAME)
End If
if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
Err.Clear
VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
If Err.Number <> 0 Then
CheckError
Else
VendorSets.Save false, true
CheckError
If Err.Number = 0 Then
WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
End If
End If
Else
WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
End If
End Sub
Sub CheckError()
If Err.Number <> 0 Then
WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
Err.Clear
End If
End Sub
SetValue
|
| 4. | Save the text file as "Enable934022." |
| 5. | Open a command prompt, switch to the location in which the script is saved, and then run the following command at the command prompt: cscript Enable934022.vbs |
Note To revert to the default setting, edit the script by changing "Const SE_VPS_VALUE = true" to "Const SE_VPS_VALUE = false." Save the script, and then run it again.
Back to the top
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top
Help and Support
