Cannot connect to a service from a particular client computer in ISA Server 2004, in ISA Server 2006, or in Forefront Threat Management Gateway

Symptoms

A program that is running on a client computer may not be able to connect to a service through Microsoft Internet Security and Acceleration (ISA) Server 2004, ISA Server 2006, or Microsoft Forefront Threat Management Gateway, Medium Business Edition. In this scenario, the client program may crash or may stop responding (hang). Additionally, the following event may be logged in the Application log in Event Viewer on the ISA Server computer:
For Forefront Threat Management Gateway, Medium Business Edition, the following event may be logged:

Cause

This behavior may occur if the computer that the client program is running on has exceeded the number of concurrent connections that ISA Server 2004, ISA Server 2006, and Forefront Threat Management Gateway, Medium Business Edition, allows. ISA Server 2004, ISA Server 2006, and Forefront Threat Management Gateway, Medium Business Edition, implements a connection limit (also known as a quota) mechanism. By default, the number of concurrent connections is limited to 160 for each client computer (IP Address). If a client computer reaches this connection limit, ISA Server 2004, ISA Server 2006, and Forefront Threat Management Gateway, Medium Business Edition, implements one of the following connection limit mechanisms:
  • For User Datagram Protocol (UDP) connections, if a client program reaches this connection limit, any additional UDP connections cause a previous UDP connection to be dropped.
  • For Transmission Control Protocol (TCP) connections, if a client program reaches this connection limit, no additional connections are permitted.
This functionality is included in ISA Server 2004, in ISA Server 2006, and in Forefront Threat Management Gateway, Medium Business Edition, to help prevent one particular computer from overloading the ISA Server or Forefront Threat Management Gateway, Medium Business Edition computer with connections.

Resolution

For information about setting connection limits and about how to troubleshoot this issue, visit the following Microsoft Web site:
Deployment Recommendations for Connection Limits in ISA Server 2004
http://technet.microsoft.com/en-us/library/cc302445.aspx
For more information about connection limits on Microsoft Forefront Threat Management Gateway, Medium Business Edition, visit the following Microsoft Web Site:

More Information

This behavior occurs on SecureNAT clients and on Microsoft Firewall clients (Web proxy clients appear as SecureNAT client TCP connections to ISA in this respect). This behavior is particularly noticeable if you use a perimeter network (also known as a DMZ, a demilitarized zone, and a screened subnet) with back-to-back ISA Server computers.

If you run your ISA Server computers back-to-back to create a perimeter network, you are more likely to experience this behavior. The internal ISA Server computer translates all the internal clients by using the NAT protocol. The frames are sent to the external ISA Server computer, and this computer uses the NAT protocol to translate all the internal clients again. To the external ISA Server computer, all the connections look similar to one client. The connections use the perimeter network IP address of the internal ISA Server computer. Therefore, to the external ISA Server computer, 40 internal clients look similar to 1 client that has 40 different connections.
Propriedades

ID do Artigo: 838706 - Última Revisão: 10 de dez de 2008 - Revisão: 1

Comentários