Article ID: 923324 - View products that this article applies to.
You create many connectivity verifiers that use HTTP requests to verify connectivity in Microsoft Internet Security and Acceleration (ISA) Server 2004, in ISA Server 2006, in Forefront Threat Management Gateway, Medium Business Edition, or in Windows Essential Business Server 2008. After you do this, virtual memory allocations for the Microsoft Firewall service may increase by as much as 512 megabytes (MB) over time.
Generally, this behavior does not cause a problem in ISA Server 2004, in ISA Server 2006, in Forefront Threat Management Gateway, Medium Business Edition, or in Windows Essential Business Server. The number of firewall worker threads limits this increase in memory usage. However, this behavior can cause a problem on a computer that has lots of physical memory and that has a high memory cache setting for the Web Proxy component. On such a computer, this behavior could cause the failure of new memory allocations in ISA Server 2004, in ISA Server 2006, in Forefront Threat Management Gateway, Medium Business Edition, or in Windows Essential Business Server. Therefore, ISA Server 2004, ISA Server 2006, Forefront Threat Management Gateway, Medium Business Edition, or Windows Essential Business Server may be unable to process Web requests.
Note The memory for the Web Proxy cache is controlled by the Percentage of free memory to use for caching setting. For more information about memory that is used for caching in ISA Server 2004, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/837577/ )A clarification of the "Percentage of free memory to use for caching" option in ISA Server 2004
This problem occurs because the HTTP request connectivity verification process runs on the main firewall worker threads. For each new thread on which the connectivity verifier runs, the connectivity verifier initializes some data structures. Because the Microsoft Firewall service can use many threads to handle client computer requests, these HTTP request connectivity verifiers may cause an increase in virtual memory allocations for the Microsoft Firewall service process over time. If the Percentage of free memory to use for caching setting is set to a high value, these memory allocations could cause the Microsoft Firewall service to reach the 2 gigabyte (GB) address space limit for 32-bit operating systems. Therefore, new memory allocations will be unsuccessful.
To resolve this problem for ISA Server 2006, install the hotfix package that is mentioned in the following Microsoft Knowledge Base article:
937186To resolve this problem for ISA Server 2004, install the hotfix package that is mentioned in the following Microsoft Knowledge Base article:
(https://support.microsoft.com/kb/937186/ )Description of the ISA Server 2006 hotfix package that is dated May 14, 2007
923330After you install this hotfix, you must run the following script to enable the functionality that this hotfix provides. The script configures the Microsoft Firewall service so that it does not use the main firewall threads for the HTTP request connectivity verifiers. Additionally, this script causes the Microsoft Firewall service to create a new thread for each HTTP request connectivity verifier.
(https://support.microsoft.com/kb/923330/ )Description of the ISA Server 2004 hotfix package: July 27, 2006
Caution If you use hundreds of HTTP request connectivity verifiers, we recommend that you use the default ISA Server 2004 behavior to manage HTTP request connectivity verifiers. In this situation, we recommend that you follow the steps in the "Workaround" section to manually configure the percentage of RAM that you use for caching.
Enable the functionality that this hotfix providesMicrosoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
To enable the functionality that this hotfix provides, run the following script:
Remove the functionality that this hotfix providesTo restore ISA Server 2004 to its default behavior, run the following script:
For TMG, you must use a different script. The VendorParameterSet used in ISA Server 2004 and ISA Server 2006 was replaced with an Array-level COM property named CreateThreadPerHttpVerifier. The script to be used for this change follows:
Save this script as "EnableThreadPerHttpVerifier.vbs" and run it on any firewall server in the array in a command window as cscript EnableThreadPerHttpVerifier.vbs.
To work around this problem, decrease the value that appears in the Percentage of free memory to use for caching setting to enable up to 512 MB of virtual memory allocations. The percentage setting for the Web Proxy cache should not exceed 1.2 GB of memory.
To calculate the percentage of RAM to set for caching, use the following formula:
Percentage of RAM for caching = 1.2 GB / Amount of physical RAM * 100For example, on a server that has 4 GB of RAM, this formula appears as follows:
Percentage of RAM for caching = 1.2 / 4 * 100Therefore, in this situation, you should use approximately 30 percent RAM for caching.
To view the Percentage of free memory to use for caching value, follow these steps.
ISA 2004 or for ISA 2006
Windows Essential Business Server or Forefront Threat Management Gateway, Medium Business Edition
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Article ID: 923324 - Last Review: December 4, 2007 - Revision: 2.5