DNS queries that pass through an ISA Server 2000 NAT gateway do not use random source ports

Article translations Article translations
Article ID: 956637 - View products that this article applies to.
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all

Symptoms

You are using Microsoft Internet Security and Acceleration (ISA) Server 2000 as a network address translation (NAT) gateway. Internal clients send Domain Name System (DNS) queries across this NAT gateway. However, after you install security update 953230 (security bulletin MS08-037) on a client, DNS queries that pass through the ISA Server 2000 NAT gateway from this client do not use random source ports.

Cause

This problem occurs because the NAT gateway may change the source port that is used by an internal client.

For more information about the cause of this problem, see the following Microsoft Knowledge Base article:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)

Resolution

To resolve this problem, follow these steps:
  1. Apply the following ISA Server 2000 update from the Microsoft Download Center:

    Update to Mitigate MS08-037 UDP Behavior Across NAT for Microsoft ISA Server 2000

    Collapse this imageExpand this image
    Download
    Download the 956637 package now.
  2. Click Start, click Run, type cmd, and then click OK. At the command prompt, paste the following command, and then press ENTER.
    reg add HKLM\System\CurrentControlSet\Services\Fwsrv\Parameters /v RandomBindRetry  /t REG_DWORD /d 10 /f
Note After you install this update, ISA Server 2000 dynamically allocates random User Datagram Protocol (UDP) ports in new outgoing UDP sessions.

You do not have to restart the ISA Server 2000 computer after you apply this hotfix. However, the update installer will restart the Microsoft Firewall Service (fwsrv) after the update is successfully installed.

Workaround

To work around this problem, use the methods that are discussed in the following Microsoft Knowledge Base article:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More information

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
After you install the update, you can modify the registry to configure the number of times that ISA Server will try to use a random source port for each new outgoing UDP socket. To do this, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then right-click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fwsrv\Parameters
  3. Point to New, and then click DWORD Value.
  4. Type RandomBindRetry.
  5. Double-click RandomBindRetry, and then type a number in the Value data box.

    Note This value defines the number of times that ISA Server will try to use a random source port for each new outgoing UDP socket.
  6. Restart the Microsoft Firewall Service (fwsrv).
Note The value of RandomBindRetry entry ranges from 0 through 10. If you set the value of this entry to 0, the update is disabled. If this entry does not exist, ISA Server 2000 assumes that the value is 10. Do not set RandomBindRetry to a value that is greater than 10.

To set this registry entry to a recommended value, run the following command at a command prompt.
reg add HKLM\SYSTEM\CurrentControlSet\Services\Fwsrv\Parameters /v RandomBindRetry /t REG_DWORD /d 10 /f

References

For more information about this problem, visit the following Microsoft Web site:
http://blogs.technet.com/isablog/archive/2008/08/28/isa-tmg-nat-behavior-and-ms08-037.aspx
For more information about update 953230, click the following article number to view the article in the Microsoft Knowledge Base:
953230 MS08-037: Vulnerabilities in DNS could allow spoofing

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 956637 - Last Review: November 2, 2013 - Revision: 2.0
Applies to
  • Microsoft Internet Security and Acceleration Server 2000 Standard Edition
Keywords: 
kbnosurvey kbarchive atdownload kbexpertiseinter kbqfe KB956637

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com