An ISA Server 2004 or ISA Server 2006 downstream server does not reuse the TCP connections to a third-party upstream server

Consider the following scenario. A downstream server is running Microsoft Internet Security and Acceleration (ISA) Server 2004 or Microsoft Internet Security and Acceleration (ISA) Server 2006. This downstream server is chained to a third-party upstream server through Web-chaining configuration. In this scenario, ISA Server does not reuse the TCP connections that have been created to the upstream server. Instead, ISA Server closes each TCP connection after an HTTP response is received.

When the network is under a heavy load, this behavior may cause ISA Server to exhaust all available TCP ports.

Some third-party proxy servers send an HTTP response that includes both of the following headers:

• Content-Length
• Transfer-Encoding: Chunked

According to section 4.4 of the RFC 2616 specifications, these two headers are mutually exclusive, and they must not be used together. This HTTP response indicates a potential HTTP smuggling attack. Therefore, ISA Server processes the response by ignoring the Content-Length header. Then, ISA Server closes the TCP connection to avoid the potential attack.

RESOLUTION

Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.
Warning After you follow the steps in this section, ISA Server 2004 will not close the TCP connections, even if both the Content-Length header and the "Transfer-Encoding: Chunked" header are present in the HTTP response. This resolution reduces the protection that is provided by ISA Server. Therefore, we do not recommend that you apply this change unless the upstream server provides protection against HTTP smuggling attacks.

To change the default ISA behavior, follow these steps:

1. To resolve this problem, obtain the latest ISA Server service pack. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
   954258  (http://support.microsoft.com/kb/954258/ ) How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack
   891024  (http://support.microsoft.com/kb/891024/ ) How to obtain the latest ISA Server 2004 service pack
2. Start Notepad.
3. Copy the following code, and then paste it into Notepad:

   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   '
   ' Copyright (c) Microsoft Corporation. All rights reserved.
   ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
   ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
   ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
   ' HEREBY PERMITTED.
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   	
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   ' This script sets whether ISA will keep connections open after it receives an HTTP 
   ' response that contains both a Content-Length header and a Transfer-Encoding: Chunked header.
   '
   ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
   
   Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
   Const SE_VPS_NAME = "EnableKb934022"
   Const SE_VPS_VALUE = true
   
   Sub SetValue()
   
       ' Create the root object.
       Dim root  ' The FPCLib.FPC root object
       Set root = CreateObject("FPC.Root")
   
       'Declare the other objects needed.
       Dim array       ' An FPCArray object
       Dim VendorSets  ' An FPCVendorParametersSets collection
       Dim VendorSet   ' An FPCVendorParametersSet object
   
       ' Get references to the array object
       ' and to the network rules collection.
       Set array = root.GetContainingArray
       Set VendorSets = array.VendorParametersSets
   
       On Error Resume Next
       Set VendorSet = VendorSets.Item( SE_VPS_GUID )
   
       If Err.Number <> 0 Then
           Err.Clear
   
           ' Add the item.
           Set VendorSet = VendorSets.Add( SE_VPS_GUID )
           CheckError
           WScript.Echo "New VendorSet added... " & VendorSet.Name
   
       Else
           WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
       End If
   
       if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
   
           Err.Clear
           VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
   
           If Err.Number <> 0 Then
               CheckError
           Else
               VendorSets.Save false, true
               CheckError
   
               If Err.Number = 0 Then
                   WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
               End If
           End If
       Else
           WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
       End If
   
   End Sub
   
   Sub CheckError()
   
       If Err.Number <> 0 Then
           WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
           Err.Clear
       End If
   
   End Sub
   
   SetValue
   

4. Save the text file as "Enable934022."
5. Open a command prompt, switch to the location in which the script is saved, and then run the following command at the command prompt:
   cscript Enable934022.vbs

Note To revert to the default setting, edit the script by changing "Const SE_VPS_VALUE = true" to "Const SE_VPS_VALUE = false." Save the script, and then run it again.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about how to install ISA Server hotfixes and updates, click the following article number to view the article in the Microsoft Knowledge Base: