Help and Support

Article ID: 923324 - Last Review: December 4, 2007 - Revision: 2.3

Virtual memory allocation for the Microsoft Firewall service increases by as much as 512 MB in ISA Server 2004, ISA Server 2006, Windows Essential Business Server 2008, or Forefront Threat Management Gateway, Medium Business Edition

View products that this article applies to.

On This Page

Expand all | Collapse all

SYMPTOMS

You create many connectivity verifiers that use HTTP requests to verify connectivity in Microsoft Internet Security and Acceleration (ISA) Server 2004, in ISA Server 2006, in Forefront Threat Management Gateway, Medium Business Edition, or in Windows Essential Business Server 2008. After you do this, virtual memory allocations for the Microsoft Firewall service may increase by as much as 512 megabytes (MB) over time.

Generally, this behavior does not cause a problem in ISA Server 2004, in ISA Server 2006, in Forefront Threat Management Gateway, Medium Business Edition, or in Windows Essential Business Server. The number of firewall worker threads limits this increase in memory usage. However, this behavior can cause a problem on a computer that has lots of physical memory and that has a high memory cache setting for the Web Proxy component. On such a computer, this behavior could cause the failure of new memory allocations in ISA Server 2004, in ISA Server 2006, in Forefront Threat Management Gateway, Medium Business Edition, or in Windows Essential Business Server. Therefore, ISA Server 2004, ISA Server 2006, Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server may be unable to process Web requests.

Note The memory for the Web Proxy cache is controlled by the Percentage of free memory to use for caching setting. For more information about memory that is used for caching in ISA Server 2004, click the following article number to view the article in the Microsoft Knowledge Base:
837577  (http://support.microsoft.com/kb/837577/ ) A clarification of the "Percentage of free memory to use for caching" option in ISA Server 2004
Back to the top

CAUSE

This problem occurs because the HTTP request connectivity verification process runs on the main firewall worker threads. For each new thread on which the connectivity verifier runs, the connectivity verifier initializes some data structures. Because the Microsoft Firewall service can use many threads to handle client computer requests, these HTTP request connectivity verifiers may cause an increase in virtual memory allocations for the Microsoft Firewall service process over time. If the Percentage of free memory to use for caching setting is set to a high value, these memory allocations could cause the Microsoft Firewall service to reach the 2 gigabyte (GB) address space limit for 32-bit operating systems. Therefore, new memory allocations will be unsuccessful.
Back to the top

RESOLUTION

To resolve this problem for ISA Server 2006, install the hotfix package that is mentioned in the following Microsoft Knowledge Base article:
937186  (http://support.microsoft.com/kb/937186/ ) Description of the ISA Server 2006 hotfix package that is dated May 14, 2007
To resolve this problem for ISA Server 2004, install the hotfix package that is mentioned in the following Microsoft Knowledge Base article:
923330  (http://support.microsoft.com/kb/923330/ ) Description of the ISA Server 2004 hotfix package: July 27, 2006
After you install this hotfix, you must run the following script to enable the functionality that this hotfix provides. The script configures the Microsoft Firewall service so that it does not use the main firewall threads for the HTTP request connectivity verifiers. Additionally, this script causes the Microsoft Firewall service to create a new thread for each HTTP request connectivity verifier.

Caution If you use hundreds of HTTP request connectivity verifiers, we recommend that you use the default ISA Server 2004 behavior to manage HTTP request connectivity verifiers. In this situation, we recommend that you follow the steps in the "Workaround" section to manually configure the percentage of RAM that you use for caching.
Back to the top

Enable the functionality that this hotfix provides

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

To enable the functionality that this hotfix provides, run the following script:
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
 
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script adds a new VendorParametersSets under the array root.
' Used to add new parameters that are needed for hotfixes or service packs.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_VALUE = "EnableThreadPerHttpVerifier"

Sub SetEnableThreadPerHttpVerifier()

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

        ' Add the item
        Set VendorSet = VendorSets.Add( SE_VPS_GUID )
        CheckError
        WScript.Echo "New VendorSet added... " & VendorSet.Name

    Else
        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_VALUE)
    End If

    if VendorSet.Value(SE_VPS_VALUE) <> true Then

        Err.Clear
        VendorSet.Value(SE_VPS_VALUE) = true

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done with " & SE_VPS_VALUE & ", saved!"
            End If
        End If
    Else
        WScript.Echo "Done with " & SE_VPS_VALUE & ", no change!"
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

SetEnableThreadPerHttpVerifier
Back to the top

Remove the functionality that this hotfix provides

To restore ISA Server 2004 to its default behavior, run the following script:
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'
' Copyright (c) Microsoft Corporation. All rights reserved.
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
 
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' This script removes a VendorParametersSet value.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
Const SE_VPS_VALUE = "EnableThreadPerHttpVerifier"

Sub RemoveEnableThreadPerVerifier()

    ' Create the root obect.
    Dim root  ' The FPCLib.FPC root object
    Set root = CreateObject("FPC.Root")

    'Declare the other objects needed.
    Dim array       ' An FPCArray object
    Dim VendorSets  ' An FPCVendorParametersSets collection
    Dim VendorSet   ' An FPCVendorParametersSet object

    ' Get references to the array object
    ' and the network rules collection.
    Set array = root.GetContainingArray
    Set VendorSets = array.VendorParametersSets

    On Error Resume Next
    Set VendorSet = VendorSets.Item( SE_VPS_GUID )

    If Err.Number <> 0 Then
        Err.Clear

	WScript.Echo "VendorParametersSet does not exist."

    Else
        Err.Clear

        VendorSet.RemoveValue(SE_VPS_VALUE)

        If Err.Number <> 0 Then
            CheckError
        Else
            VendorSets.Save false, true
            CheckError

            If Err.Number = 0 Then
                WScript.Echo "Done removing " & SE_VPS_VALUE & ", saved!"
            End If
        End If
    End If

End Sub

Sub CheckError()

    If Err.Number <> 0 Then
        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
        Err.Clear
    End If

End Sub

RemoveEnableThreadPerVerifier
Back to the top

WORKAROUND

To work around this problem, decrease the value that appears in the Percentage of free memory to use for caching setting to enable up to 512 MB of virtual memory allocations. The percentage setting for the Web Proxy cache should not exceed 1.2 GB of memory.

To calculate the percentage of RAM to set for caching, use the following formula:
Percentage of RAM for caching = 1.2 GB / Amount of physical RAM * 100
For example, on a server that has 4 GB of RAM, this formula appears as follows:
Percentage of RAM for caching = 1.2 / 4 * 100
Therefore, in this situation, you should use approximately 30 percent RAM for caching.

To view the Percentage of free memory to use for caching value, follow these steps.
Back to the top

ISA 2004 or for ISA 2006

  1. Start the ISA Server Management tool.
  2. Expand the server name, expand Configuration, right-click Cache, and then click Properties.
  3. In the Cache Settings dialog box, click the Advanced tab.
  4. Note the value that appears in the Percentage of free memory to use for caching box.
Back to the top

Windows Essential Business Server or Forefront Threat Management Gateway, Medium Business Edition

  1. Start the Microsoft Forefront Threat Management Gateway, Medium Business Edition Server Management console.
  2. Click Web Access Policy.
  3. Under Tasks, click Configure Web Caching.
  4. Click the Advanced tab.
  5. Note the value that appears in the Percentage of free memory to use for caching box.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition
  • Windows Essential Business Server 2008 Standard
Back to the top
Keywords: 
kbtshoot kbfirewall kbfix kbbug kbprb KB923324
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations