An ISA Server 2004 or ISA Server 2006 downstream server does not reuse the TCP connections to a third-party upstream server

Article translations Article translations
Article ID: 934022 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario. A downstream server is running Microsoft Internet Security and Acceleration (ISA) Server 2004 or Microsoft Internet Security and Acceleration (ISA) Server 2006. This downstream server is chained to a third-party upstream server through Web-chaining configuration. In this scenario, ISA Server does not reuse the TCP connections that have been created to the upstream server. Instead, ISA Server closes each TCP connection after an HTTP response is received.

When the network is under a heavy load, this behavior may cause ISA Server to exhaust all available TCP ports.

CAUSE

Some third-party proxy servers send an HTTP response that includes both of the following headers:
  • Content-Length
  • Transfer-Encoding: Chunked
According to section 4.4 of the RFC 2616 specifications, these two headers are mutually exclusive, and they must not be used together. This HTTP response indicates a potential HTTP smuggling attack. Therefore, ISA Server processes the response by ignoring the Content-Length header. Then, ISA Server closes the TCP connection to avoid the potential attack.

RESOLUTION

RESOLUTION

To resolve this problem, obtain the latest ISA Server service pack. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
954258 How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack
891024 How to obtain the latest ISA Server 2004 service pack
Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.
Warning After you follow the steps in this section, ISA Server 2004 will not close the TCP connections, even if both the Content-Length header and the "Transfer-Encoding: Chunked" header are present in the HTTP response. This resolution reduces the protection that is provided by ISA Server. Therefore, we do not recommend that you apply this change unless the upstream server provides protection against HTTP smuggling attacks.

To change the default ISA behavior, follow these steps:
  1. To resolve this problem, obtain the latest ISA Server service pack. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    954258 How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack
    891024 How to obtain the latest ISA Server 2004 service pack
  2. Start Notepad.
  3. Copy the following code, and then paste it into Notepad:
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    '
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    	
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    ' This script sets whether ISA will keep connections open after it receives an HTTP 
    ' response that contains both a Content-Length header and a Transfer-Encoding: Chunked header.
    '
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "EnableKb934022"
    Const SE_VPS_VALUE = true
    
    Sub SetValue()
    
        ' Create the root object.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and to the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item.
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
  4. Save the text file as "Enable934022."
  5. Open a command prompt, switch to the location in which the script is saved, and then run the following command at the command prompt:
    cscript Enable934022.vbs
Note To revert to the default setting, edit the script by changing "Const SE_VPS_VALUE = true" to "Const SE_VPS_VALUE = false." Save the script, and then run it again.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about how to install ISA Server hotfixes and updates, click the following article number to view the article in the Microsoft Knowledge Base:
885957 How to install ISA Server hotfixes and updates

Properties

Article ID: 934022 - Last Review: October 24, 2008 - Revision: 2.0
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Keywords: 
kbtshoot kbexpertiseinter kbprb KB934022

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com