When clients connect to a Web site that you published by using ISA Server 2006, the Microsoft Firewall service may use 100 percent of the CPU resources

Article translations Article translations
Article ID: 937434 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

When clients connect to a Web site that you published by using Microsoft Internet Security and Acceleration (ISA) Server 2006, the Microsoft Firewall service (fwsrv) may use 100 percent of the CPU resources.

You may experience this problem if the following conditions are both true:
  • The clients connect to the Web site by using the HTTPS protocol.
  • The Web listener for the Web site publishing rule requires client Secure Sockets Layer (SSL) certificates for authentication.
Note To determine whether the Web listener requires client SSL certificates, follow the steps in the "More Information" section.

CAUSE

This problem occurs if ISA Server 2006 cannot renegotiate the encryption keys with the client.

On the Authentication Preferences tab of the Advanced Authentication Options dialog box for the Web listener, you can use the SSL client certificate timeout (seconds) check box together with a value to configure when the client certificate times out. By default, this value is set to 300 seconds. When the client certificate times out, ISA Server 2006 tries to renegotiate encryption keys with the client.

RESOLUTION

A hotfix is available for computers that are running ISA Server 2006. To resolve this problem, install the hotfix that is described in the following Microsoft Knowledge Base article:

937186 Description of the ISA Server 2006 hotfix package that is dated May 14, 2007

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

How to determine whether the Web listener requires client SSL certificates

  1. Start the ISA Server Management tool, and then locate the appropriate Web site publishing rule.
  2. Right-click the Web site publishing rule, and then click Properties.
  3. Click the Listener tab, verify that the correct listener is displayed, and then click Properties.
  4. Click the Authentication tab, and then click Advanced.
  5. On the Authentication Preferences tab of the Advanced Authentication Options dialog box, determine whether the Require SSL client certificate check box is selected.

Properties

Article ID: 937434 - Last Review: June 14, 2007 - Revision: 1.1
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Keywords: 
kbfirewall kbtshoot kbfix kbbug kbprb KB937434

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com