This article has been archived. It is offered "as is" and will no longer be updated.
When you make a configuration change to the Microsoft Internet Security and Acceleration (ISA) Server 2004 firewall policy, active sessions are not affected. This behavior also affects traffic that is controlled by schedules. By design, only new sessions are impacted by the changes to the policy.
After a client initiates a request, ISA Server 2004 internally maintains an active state for the session that permits the response to return to the client. This active state also permits the client to send new requests. ISA Server removes the active state after the session is idle for one to two minutes. For example:
You use the Ping.exe utility to send a ping request from a client.
On the ISA Server computer, you apply a deny rule for Internet Control Message Protocol (ICMP) traffic. When you apply the rule, an active session on the firewall for the client that sent the ping request still exists.
If you immediately try to ping from the same client after you apply the deny rule, the ISA Server permits the ICMP traffic.
If you try to ping from a different client that is not in an active state, you experience the expected behavior. The ICMP traffic is not permitted.
Policy rules are applied immediately for new connections when you click Apply to save the changes and update the configuration. To make the changes apply to all existing connections, do either of the following:
Disconnect existing sessions using the session manager. To disconnect a session, start the ISA Server Management console, click Monitoring, click the Sessions tab in the middle pane, click the session that you want to disconnect, and then click Disconnect Session on the Tasks tab.
Restart the Microsoft Firewall service. To do this, start the ISA Server Management console, click Monitoring, click the Services tab in the middle pane, click Microsoft Firewall, click Stop Selected Service on the Tasks tab, and then click Start Selected Service on the Tasks tab.