Article ID: 940343 - Last Review: August 14, 2007 - Revision: 1.1

ISA Server 2006 drops the HTTP CONNECT request that is used to establish an SSL tunnel when DiffServ-based network traffic prioritization is enabled

View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In Microsoft Internet Security and Acceleration (ISA) Server 2006, you enable network traffic prioritization that is based on differentiated services (DiffServ). Then, an HTTP client establishes a TCP connection for HTTP communication that is not secured by the Secure Socket Layer (SSL) protocol. However, when the client reuses the TCP connection to try to establish an SSL tunnel, ISA Server 2006 drops the HTTP CONNECT request.
Back to the top

CAUSE

This problem occurs because the DiffServ filter cannot parse the URL when the HTTP client sends an HTTP CONNECT request on a TCP connection that has already been used for non-SSL communication. In this situation, the DiffServ filter stops trying to establish the SSL tunnel. The filter then sends a TCP FIN packet to the HTTP client.
Back to the top

RESOLUTION

To resolve this problem, apply the hotfix rollup package that is described in the following Microsoft Knowledge Base article:
940250  (http://support.microsoft.com/kb/940250/ ) Description of the ISA Server 2006 hotfix package: date
Back to the top

WORKAROUND

To work around this problem, disable the DiffServ filter. To do this, follow these steps:
  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
  2. In the console tree, expand Microsoft Internet Security and Acceleration Server 2006.
  3. If you are running ISA Server 2006 Enterprise Edition, expand Arrays, and then expand the node that corresponds to the array. If you are running ISA Server 2006 Standard Edition, expand the node that corresponds to the server.
  4. Expand Configuration, and then click Add-ins.
  5. In the details pane, click the Web Filters tab, click to select the DiffServ Filter item, and then click Disable selected Filters.
  6. Click Apply.
Back to the top

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Back to the top

MORE INFORMATION

To enable the network traffic prioritization as the "Symptoms" section describes, perform the following actions:
  • Enable the DiffServ filter.
  • Enable the Enable the network traffic prioritization according to DiffServ (Quality of Service) bits option.
  • Define at least one priority.
Back to the top
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Back to the top
Keywords: 
kbtshoot kbexpertiseinter kbprb KB940343
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations