Article ID: 833009 - Last Review: June 14, 2007 - Revision: 1.11

FIX: ICMP traffic is not blocked during startup period with ISA Server

Hotfix download is availableHotfix Download Available
View and request hotfix downloads
View products that this article applies to.

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986  (http://support.microsoft.com/kb/256986/ ) Description of the Microsoft Windows Registry

On This Page

Expand all | Collapse all

SYMPTOMS

When a computer that is running Internet Security and Acceleration Server (ISA) 2000 starts, ISA does not block external Internet Control Message Protocol (ICMP) traffic even if ISA policies do not permit the traffic. For example, you may be able to PING ISA Server for a short time period after you start the computer. You can correct this problem if the following is true:
  • ISA Server is installed in integrated mode or firewall mode.
  • Packet filtering is enabled on the ISA Server-based computer. (If ISA Server is installed in cache mode or if packet filtering is not enabled, you do not use packet filtering; therefore, you do not expect that ICMP traffic is blocked.)

    Note For instructions on how to configure packet filtering, see the "More Information" section.
This problem does not occur if the startup period is complete, the ISA Server services are started, and ISA policies do not permit ICMP traffic.
Back to the top

CAUSE

The problem may occur if the TCP/IP stack is operational before the ISA Server packet filter driver is loaded and running. In this scenario, a small time gap occurs when traffic is not blocked.
Back to the top

RESOLUTION

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Back to the top

Prerequisites

ISA Server Service Pack 1
Back to the top

Restart requirement

After you install this hotfix, you must add a registry key as described in the "More Information" section. After you install this key, you must restart your computer.
Back to the top

Hotfix replacement information

This hotfix does not replace any other hotfixes.
Back to the top

File information

The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
   Date        Time     Version      Size    File name
   --------------------------------------------------
   02-Feb-2004 21:38:14 3.0.1200.301 41,584  Mspfltex.sys
   02-Feb-2004 21:39:28 3.0.1200.301 518,928 Stpsrvex.dll
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section of this article.
Back to the top
Back to the top

MORE INFORMATION

This hotfix will change the load order of the ISA Server packet filter driver and the operating system packet filter driver. The ISA Server packet filter driver will load earlier in the startup sequence. After you install and enable this hotfix, ISA Server will block any incoming or outgoing ICMP traffic on all network adapters until the ISA Server Control service is started, and filtering can be applied according to static filters and rules.
Back to the top

How to enable this hotfix

After you install this hotfix, follow these steps to enable it.
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate the following subkey in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MspFltEx\Parameters\Options
  4. Right-click Options, point to New, and then click DWORD Value.
  5. Type EnableLockDown, and then press ENTER.
  6. Click EnableLockDown, and then right-click Modify.
  7. In the Value data box, type 1.
  8. Restart the computer.
If you want to revert to the original behavior and not block ICMP traffic on startup, delete the EnableLockDown registry key or set it to 0. The changed load order of the drivers will remain. You must remove the hotfix if you want to revert to the original load order of the drivers.
Back to the top

When this hotfix must not be installed

Microsoft does not recommend that you install this hotfix when no external network adapter is available to ISA Server, as in the following circumstances:
  • Only one network adapter is installed in the ISA Server-based computer, regardless of operation mode (firewall, integrated, or cache). In this case, the hotfix installation will stop.
  • No external IP address is available outside the local address table (LAT). In other words, the external adapter is disabled or unavailable.
  • The external Internet connection is a dial-up adapter that uses PPP or direct-dial. Microsoft does not support the installation of this hotfix when ISA Server uses a dial-up connection.
  • ISA Server is installed in cache mode only. In this case, all network interfaces are treated as internal.
Back to the top

What occurs if you install and enable this hotfix on a computer that has no external network adapter

If you install this hotfix on a computer that has no external network adapter, the following issues may occur:
  • Remote administrators will not be able to connect to the computer.
  • ISA Administration Interface will show the ISA services as unavailable. A red cross will appear in the computer node status. See "How to browse ISA Server services" in this article.
  • Even after startup is completed, ISA server will not respond to ICMP PING requests.
These issues also occur if the ISA Server Control service is down or if you disable an external interface after you install the hotfix. When no external network adapter exists, the driver keeps the original "Block all ICMP" policy, and failures occur.

Back to the top

Note

If you install ISA server in cache only mode, these issues will not occur.

Back to the top

When the hotfix must be removed

You must remove the hotfix in the following circumstances:
  • Before you change the ISA operation mode from integrated mode (firewall and cache) or firewall mode to cache mode.
  • Before you change the network configuration of the ISA Server so an external network interface no longer exists.
  • Before you use the Rmisa.exe file to remove ISA Server. (This file is on the ISA Server CD).

Back to the top

How to remove the hotfix


If you want to return to the driver load order and traffic blocking behavior that existed before you installed this hotfix, follow these steps to remove the hotfix:
  1. Click Start, and then click Control Panel.
  2. Click Add or Remove Programs, and then click Microsoft ISA Server Updates.
  3. In the Change list, click ISA Hotfix 301.
  4. Click Remove, and then restart the computer.
Back to the top

How to enable packet filtering in ISA Server

To enable packet filtering, follow these steps:
  1. Open ISA Server Microsoft Management Console (MMC).
  2. Locate Access Policy, and then right-click IP Packet Filters.
  3. Click Properties, and then click to select the Enable Packet Filtering check box.
  4. Click OK.
Back to the top

How to browse ISA Server services

To browse ISA Server services, follow these steps:
  1. Open ISA Server MMC.
  2. Browse the Monitoring tree, and then click Services.
  3. Check the status of the services in the right pane.
Back to the top
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2000 Service Pack 1
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Back to the top
Keywords: 
kbautohotfix kbqfe kbhotfixserver kbisaserv2000presp2fix kbfix kbbug KB833009
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations