An ISA Server 2004 or ISA Server 2006 downstream server does not reuse the TCP connections to a third-party upstream server

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
Consider the following scenario. A downstream server is running Microsoft Internet Security and Acceleration (ISA) Server 2004 or Microsoft Internet Security and Acceleration (ISA) Server 2006. This downstream server is chained to a third-party upstream server through Web-chaining configuration. In this scenario, ISA Server does not reuse the TCP connections that have been created to the upstream server. Instead, ISA Server closes each TCP connection after an HTTP response is received.

When the network is under a heavy load, this behavior may cause ISA Server to exhaust all available TCP ports.
CAUSE
Some third-party proxy servers send an HTTP response that includes both of the following headers:
  • Content-Length
  • Transfer-Encoding: Chunked
According to section 4.4 of the RFC 2616 specifications, these two headers are mutually exclusive, and they must not be used together. This HTTP response indicates a potential HTTP smuggling attack. Therefore, ISA Server processes the response by ignoring the Content-Length header. Then, ISA Server closes the TCP connection to avoid the potential attack.
RESOLUTION
RESOLUTION
To resolve this problem, obtain the latest ISA Server service pack.For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
954258 How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack
891024 How to obtain the latest ISA Server 2004 service pack
Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.
Warning After you follow the steps in this section, ISA Server 2004 will not close the TCP connections, even if both the Content-Length header and the "Transfer-Encoding: Chunked" header are present in the HTTP response. This resolution reduces the protection that is provided by ISA Server. Therefore, we do not recommend that you apply this change unless the upstream server provides protection against HTTP smuggling attacks.

To change the default ISA behavior, follow these steps:
  1. To resolve this problem, obtain the latest ISA Server service pack.For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    954258 How to obtain the latest Internet Security and Acceleration (ISA) Server 2006 service pack
    891024 How to obtain the latest ISA Server 2004 service pack
  2. Start Notepad.
  3. Copy the following code, and then paste it into Notepad:
    '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' Copyright (c) Microsoft Corporation. All rights reserved.' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS' HEREBY PERMITTED.''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''	''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' This script sets whether ISA will keep connections open after it receives an HTTP ' response that contains both a Content-Length header and a Transfer-Encoding: Chunked header.'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"Const SE_VPS_NAME = "EnableKb934022"Const SE_VPS_VALUE = trueSub SetValue()    ' Create the root object.    Dim root  ' The FPCLib.FPC root object    Set root = CreateObject("FPC.Root")    'Declare the other objects needed.    Dim array       ' An FPCArray object    Dim VendorSets  ' An FPCVendorParametersSets collection    Dim VendorSet   ' An FPCVendorParametersSet object    ' Get references to the array object    ' and to the network rules collection.    Set array = root.GetContainingArray    Set VendorSets = array.VendorParametersSets    On Error Resume Next    Set VendorSet = VendorSets.Item( SE_VPS_GUID )    If Err.Number <> 0 Then        Err.Clear        ' Add the item.        Set VendorSet = VendorSets.Add( SE_VPS_GUID )        CheckError        WScript.Echo "New VendorSet added... " & VendorSet.Name    Else        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)    End If    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then        Err.Clear        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE        If Err.Number <> 0 Then            CheckError        Else            VendorSets.Save false, true            CheckError            If Err.Number = 0 Then                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"            End If        End If    Else        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"    End IfEnd SubSub CheckError()    If Err.Number <> 0 Then        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description        Err.Clear    End IfEnd SubSetValue
  4. Save the text file as "Enable934022."
  5. Open a command prompt, switch to the location in which the script is saved, and then run the following command at the command prompt:
    cscript Enable934022.vbs
Note To revert to the default setting, edit the script by changing "Const SE_VPS_VALUE = true" to "Const SE_VPS_VALUE = false." Save the script, and then run it again.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION
For more information about how to install ISA Server hotfixes and updates, click the following article number to view the article in the Microsoft Knowledge Base:
885957 How to install ISA Server hotfixes and updates
Properties

Article ID: 934022 - Last Review: 01/15/2015 09:28:21 - Revision: 2.0

  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • kbnosurvey kbarchive kbtshoot kbexpertiseinter kbprb KB934022
Feedback