You are currently offline, waiting for your internet to reconnect

DNS queries that are passed through the ISA Server 2006 NAT do not use random source ports

SYMPTOMS
You use Microsoft Internet Security and Acceleration (ISA) Server 2006 as a network address translation (NAT) gateway, and an internal client sends Domain Name System (DNS) queries across ISA Server 2006. However, after you install security update 953230 (MS08-037) on the client, DNS queries that are passed through the ISA Server 2006 NAT do not use random source ports.
CAUSE
This problem occurs because NAT-based firewalls may change the source port that is used by an internal client. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)
RESOLUTION
To resolve this problem, follow these steps:
  1. Apply the ISA Server 2006 update that is available from Microsoft Download Center: Note After you install this update, ISA Server allocates a set of random UDP ports, and then ISA Server selects a port from this set for use in new outgoing UDP sessions.
  2. Restart the computer that is running ISA Server.
WORKAROUND
To work around this problem, use the methods that are mentioned in the following KB article:
956190 DNS queries that are sent across a firewall do not use random source ports after you install security update 953230 (MS08-037)
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
MORE INFORMATION

How to modify the size of the socket pool

After you install the update, you can modify the registry to configure the size of the socket pool that ISA Server builds on startup.

Fix it for me

To increase the size of the socket pool automatically, click the Fix this problem link. Then, click Run in the File Download dialog box and follow the steps in this wizard.


Note This wizard may be in English only; however, the automatic fix also work for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save this automatic fix to a flash drive or to a CD so that you can run it on the computer that has the problem.


Let me fix it myself

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To increase the size of the socket pool yourself, follow these steps:
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then right-click the following registry key:
    HKLM\System\CurrentControlSet\Services\Fweng\Parameters
  3. Point to New, and then click DWORD Value.
  4. Type ReservedPortThreshold.
  5. Double-click ReservedPortThreshold, and then type a number in the Value databox to set the size of the socket pool.
  6. Restart the computer that is running ISA Server.
Note The value of the ReservedPortThreshold entry ranges from 1 to 1250. This value defines 1/2 the number of ports that will be allocated on startup and as required during operation. If this entry does not exist, ISA Server assumes that the value is 50. Changing this value to less than 1250 increases the predictability of source port usage within the pool and is not recommended.

To set this registry entry to a recommended value, at a command prompt, run the following command:
reg add HKLM\SYSTEM\CurrentControlSet\Services\Fweng\Parameters /v ReservedPortThreshold /t REG_DWORD /d 1250 /f

How to disable this update

If you encounter problems after you install this update, you can disable this update.

Fix it for me

To disable this update automatically, click the Fix this problem link. Then, click Run in the File Download dialog box and follow the steps in this wizard.


Note This wizard may be in English only; however, the automatic fix also work for other language versions of Windows.

Note If you are not on the computer that has the problem, you can save this automatic fix to a flash drive or to a CD so that you can run it on the computer that has the problem.


Let me fix it myself

To disable this update yourself, follow these steps:
  1. Save the following script as KB956570.vbs.
    '-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-''    This code is Copyright (c) 2008 Microsoft Corporation.  ''    All rights reserved.''    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A'    PARTICULAR PURPOSE.''    IN NO EVENT SHALL MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS BE'    LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE'    OF THIS CODE OR INFORMATION.''-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"Const SE_VPS_NAME = "BindRandomizationCount"Const SE_VPS_VALUE = 0Sub SetValue()    ' Create the root object.    Dim root  ' The FPCLib.FPC root object    Set root = CreateObject("FPC.Root")    'Declare the other objects needed.    Dim array       ' An FPCArray object    Dim VendorSets  ' An FPCVendorParametersSets collection    Dim VendorSet   ' An FPCVendorParametersSet object    ' Get references to the array object    ' and the network rules collection.    Set array = root.GetContainingArray    Set VendorSets = array.VendorParametersSets    On Error Resume Next    Set VendorSet = VendorSets.Item( SE_VPS_GUID )    If Err.Number <> 0 Then        Err.Clear        ' Add the item        Set VendorSet = VendorSets.Add( SE_VPS_GUID )        CheckError        WScript.Echo "New VendorSet added... " & VendorSet.Name    Else        WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)    End If    if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then        Err.Clear        VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE        If Err.Number <> 0 Then            CheckError        Else            VendorSets.Save false, true            CheckError            If Err.Number = 0 Then                WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"            End If        End If    Else        WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"    End IfEnd SubSub CheckError()    If Err.Number <> 0 Then        WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description        Err.Clear    End IfEnd SubSetValue
  2. Click Start, click Run, type cmd, and then click OK.
  3. At the command prompt, type the following command, and then press ENTER:
    cscript KB956570.vbs
  4. Restart the computer that is running ISA Server.
REFERENCES
For more information about this problem, visit the following Microsoft Web site:For more information about the MS08-037 update, click the following article number to view the article in the Microsoft Knowledge Base:
953230 MS08-037: Vulnerabilities in DNS could allow spoofing
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates
Properties

Article ID: 956570 - Last Review: 09/09/2010 20:44:00 - Revision: 2.0

  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2006 Standard Edition
  • kbexpertiseinter atdownload kbqfe kbfixme kbmsifixme KB956570
Feedback
ript>