The values that appear in the "Bytes Sent" field and in the "Bytes Received" field are reversed when you log traffic for a server-publishing rule in ISA Server 2006

When you configure Firewall logging in Microsoft Internet Security and Acceleration (ISA) Server 2006, the values that appear in the Bytes Sent field of the log and in the Bytes Received field of the log are reversed. The sent bytes appear in the Bytes Received field of the log. The received bytes appear in the Bytes Sent field of the log. You experience this problem if the following conditions are true:

• The logged traffic corresponds to a server-publishing rule.
• This server-publishing rule has an application filter enabled.

Note For information about how you can determine whether a server-publishing rule has an application filter enabled, see the "More Information" section.

This problem occurs because of the way that ISA Server 2006 handles traffic for a server-publishing rule that has an application filter enabled.

ISA Server 2006 handles TCP filtering in kernel mode. However, an application filter may be enabled for the protocol that is used in a server-publishing rule. In this case, ISA Server 2006 handles the corresponding traffic in user mode. In user mode, ISA Server 2006 logs the sent bytes and the received bytes in reverse order.

For more information about the ISA Server Firewall log fields, visit the following Microsoft Web site:

Hotfix information

A hotfix is available for computers that are running ISA Server 2006. To resolve this problem, install the hotfix that is described in Microsoft Knowledge Base article 933718. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Hotfix installation information

After you install the hotfix, you must run a script. This script configures ISA Server to reverse the order of the Bytes Sent field and the Bytes Received field for server-publishing traffic that is handled in user mode.

Note By default, this behavior is not enabled. This is to avoid causing a problem for reporting mechanisms that rely on the current field order.

To run this script, follow these steps.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

1. Paste the following code into a text editor such as Notepad:

   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   '
   ' Copyright (c) Microsoft Corporation. All rights reserved.
   ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
   ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
   ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
   ' HEREBY PERMITTED.
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   	
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   ' This script changes the ordering of the Bytes Sent and Bytes Received fields for server-publishing 
   ' traffic that is handled in user mode when an application is bound to the published protocol.
   ' 
   '
   ' Usage - to disable the setting of the HTTPOnly attribute on a specified Web listener
   ' Cscript SwapCountersUMServerPublishing.vbs 
   '
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
   Const SE_VPS_NAME = "SwapCountersUMServerPublishing"
   Const SE_VPS_VALUE = true
   
   Sub SetValue()
   
       ' Create the root obect.
       Dim root  ' The FPCLib.FPC root object
       Set root = CreateObject("FPC.Root")
   
       'Declare the other objects needed.
       Dim array       ' An FPCArray object
       Dim VendorSets  ' An FPCVendorParametersSets collection
       Dim VendorSet   ' An FPCVendorParametersSet object
   
       ' Get references to the array object
       ' and the network rules collection.
       Set array = root.GetContainingArray
       Set VendorSets = array.VendorParametersSets
   
       On Error Resume Next
       Set VendorSet = VendorSets.Item( SE_VPS_GUID )
   
       If Err.Number <> 0 Then
           Err.Clear
   
           ' Add the item.
           Set VendorSet = VendorSets.Add( SE_VPS_GUID )
           CheckError
           WScript.Echo "New VendorSet added... " & VendorSet.Name
   
       Else
           WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
       End If
   
       if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
   
           Err.Clear
           VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
   
           If Err.Number <> 0 Then
               CheckError
           Else
               VendorSets.Save false, true
               CheckError
   
               If Err.Number = 0 Then
                   WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
               End If
           End If
       Else
           WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
       End If
   
   End Sub
   
   Sub CheckError()
   
       If Err.Number <> 0 Then
           WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
           Err.Clear
       End If
   
   End Sub
   
   SetValue
   

2. Save the file as SwapCountersUMServerPublishing.vbs, and then exit the text editor.
3. Open a command prompt, and then change to the directory to which you saved the SwapCountersUMServerPublishing.vbs file.
4. Type the following command, and then press ENTER:
   cscript SwapCountersUMServerPublishing.vbs

Note To restore ISA Server 2006 so that it uses the default ordering of the Bytes Sent field and the Bytes Received field, follow these steps:

1. Change the value of the Const SE_VPS_VALUE entry in the SwapCountersUMServerPublishing.vbs file. To do this, follow these steps:
   1. Open the SwapCountersUMServerPublishing.vbs file in a text editor such as Notepad.
   2. Locate the following entry:
      Const SE_VPS_VALUE = true
   3. Change this entry to the following:
      Const SE_VPS_VALUE = false
   4. Save the changes to the SwapCountersUMServerPublishing.vbs file, and then exit the text editor.
2. Open a command prompt, and then change to the directory to which you saved the SwapCountersUMServerPublishing.vbs file.
3. Type the following command, and then press ENTER:
   cscript SwapCountersUMServerPublishing.vbs

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

To determine whether a server-publishing rule has an application filter enabled, follow these steps:

1. Start the ISA Server Management console.
2. In the navigation pane, click Firewall Policy.
3. Right-click the server-publishing rule, and then click Properties.
4. Click the Traffic tab, and then click Properties.
5. In the Protocol Name Properties dialog box, click the Parameters tab.

Check boxes that correspond to application filters appear in the Application Filters box.

For more information about the core components in ISA Server 2006, see the "ISA Server 2006 Firewall Core" white paper. To obtain this white paper, visit the following Microsoft Web site: