DNS queries that pass through Forefront Threat Management Gateway NAT do not use random source ports

Article translations Article translations
Article ID: 957298 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

You are using Microsoft Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE) as a network address translation (NAT) gateway. Internal clients send Domain Name System (DNS) queries across Forefront Threat Management Gateway. However, after you install security update 953230 (MS08-037) on a client, DNS queries that are passed through Forefront Threat Management Gateway NAT from that client do not use random source ports.

CAUSE

This problem occurs because NAT-based firewalls may change the source port that is used by an internal client.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)

RESOLUTION

To resolve this problem, follow these steps:
  1. Apply the following Forefront Threat Management Gateway update from the Microsoft Download Center:
    Update to Mitigate MS08-037 UDP Behavior Across NAT for Forefront Threat Management Gateway (TMG), Medium Business Edition (MBE)
    http://www.microsoft.com/downloads/details.aspx?FamilyId=E974422F-42B0-426C-8852-FF8E67264909
    Note After you install this update, Forefront Threat Management Gateway allocates a set of random User Datagram Protocol (UDP) ports and then selects a port from this set for use in new outgoing UDP sessions.
  2. Restart the computer.
Note The update installer notifies you that Threat Management Gateway services are running and must be restarted. You can safely ignore this notification and restart the computer after you apply the update.

WORKAROUND

To work around this problem, use the methods that are described in the following Microsoft Knowledge Base article:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

How to modify the size of the socket pool

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
After you install the update, you can modify the registry to configure the size of the socket pool that Threat Management Gateway builds on startup. To do this, follow these steps:
  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then right-click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Fweng\Parameters
  3. Point to New, and then click DWORD Value.
  4. Type ReservedPortThreshold.
  5. Double-click ReservedPortThreshold, and then set the size of the socket pool by typing a number in the Value data box.
  6. Restart the computer.
Note The value of the ReservedPortThreshold entry ranges from 1 through 1250. This value defines half the number of ports that will be allocated on startup and as required during operation. If this entry does not exist, Threat Management Gateway assumes that the value is 50. We recommend that you set this value to 1250. We do not recommend that you set this value to less than 1250 because that increases the predictability of source port usage within the pool.

To set this registry entry to 1250, type the following command at a command prompt:
reg add HKLM\SYSTEM\CurrentControlSet\Services\Fweng\Parameters /v ReservedPortThreshold /t REG_DWORD /d 1250 /f

How to disable this update

If you have problems after you install this update, you can disable the update. To do this, follow these steps:
  1. Save the following script as KB957298.vbs.
    '-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
    '
    '    This code is Copyright (c) 2008 Microsoft Corporation.  
    '
    '    All rights reserved.
    '
    '    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
    '    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO
    '    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
    '    PARTICULAR PURPOSE.
    '
    '    IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE
    '    LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
    '    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
    '    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
    '    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
    '    OF THIS CODE OR INFORMATION.
    '
    '-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "BindRandomizationCount"
    Const SE_VPS_VALUE = 0
    
    Sub SetValue()
    
        ' Create the root obect.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
  2. Click Start, click Run, type cmd, and then click OK. At the command prompt, type the following command, and then press ENTER:
    cscript KB957298.vbs
  3. Restart the computer.

REFERENCES

For more information about this problem, visit the following Microsoft Web site:
http://blogs.technet.com/isablog/archive/2008/08/28/isa-tmg-nat-behavior-and-ms08-037.aspx
For more information about security update 953230, see the following Microsoft Knowledge Base article:
953230 MS08-037: Vulnerabilities in DNS could allow spoofing

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 957298 - Last Review: November 11, 2008 - Revision: 1.0
APPLIES TO
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition
Keywords: 
kbexpertiseinter kbqfe KB957298

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com